Skip to content-main content

News

Techtip: 802.11w – Protected Management Frames

It just amazes me how smart people use their unique set of skills to find ways to exploit technology for the bad of mankind. Have you seen the advertisements for RF blocking wallets and purses? They claim that their product shields your credit cards from wireless hackers, as they attempt to extract your credit card information as they pass you on the street …for crying out loud do we need to wrap ourselves up in tin foil?

The 802.11i standard uses Advanced Encryption Standard (AES) to encrypt your private data so that the hackers cannot decrypt it and steal your private data. This leaves the hackers discouraged and their only course of action is to resort to a denial-of-service attack (DoS) to slow down your wireless network.

802.11 is a broadcast medium that allows wireless devices to listen in on and even participate as the real wireless device or it could be masquerading as a rogue device. For example, if an Access Point receives either an Association Request or Authentication Request Management frame from the spoofed MAC Address of an already associated client, the Access Point will disconnect the current connection with the real client and start a new connection with the masquerading client. This is a very effective denial-of-service attack that kicks the legitimate wireless client off of the Access Point. Once again, they figured out a way to take advantage of the 802.11 standard behavior to exploit a wireless network.

This tech tip is about the 802.11w standard called Protected Management Frames (PMF) that shields the client by using a security association teardown protection mechanism. PMF requires the Access Point to check with the legitimate client first by sending a Security Association Query Request frame to the legitimate client. The legitimate 802.11w client must respond with a Security Association Query Response frame within a pre-defined amount of time (milliseconds) called the Security Query timeout. If the legitimate client responds in time, the legitimate client maintains the connection and the Access Point sends the rouge client a status code 30 message that states “Association request rejected temporarily; try again latter”. This action will prevent the rouge client from connecting and prevent the legitimate client from being disconnected from the Access Point. However, if the legitimate client doesn’t reply in time (milliseconds) to the Security Association Query Request frame, then the client session is torn down by the Access Point by sending a disassociation message.

Dennis_Techtip_PMF_1

Cisco has been supporting PMF since version 7.3 code release. All you need to do on the wireless controller is configure the WLAN to use PMF. PMF only works with WPAv2 PSK (PMF PSK) or 802.1x WPAv2 (PMF 802.1X) security.

The bigger issue is, does your wireless client support 802.11w? If you have an 802.11ac wireless card in your mobile device there is a good chance that it does support 802.11w because the chipset has been updated. If you have an older 802.11n wireless card the odds are you are not 802.11w compliant. For this reason Cisco has the following WLAN options available:

Disabled — Disables 802.11w MFP protection on a WLAN.
Optional — To be used if the client supports 802.11w.
Required — Ensures that the clients that do not support 802.11w cannot associate with the WLAN.

Protecting the integrity of the network is extremely important to us, so it makes sense to be naturally drawn to the Required option at first glance. My advice to you would be to proceed with caution, because selecting this WLAN option, will prevent all non 802.11w clients from connecting to the WLAN. This mean you will need to start an 802.11w investigation by looking at the manufacture’s technical specification of each of your wireless devices. This is a time consuming process and the documentation can be difficult to find.

Microsoft can help make this task easier if you have a Windows7 or above Operating System. All you need to do is type the command netsh wlan show driver from the command prompt to verify if your client device supports 802.11w. The output you see from my Surface Pro shows “802.11 Management Frame Protection supported : Yes”.

Dennis_Techtip_PMF_2

After completing your investigation you might have discovered that all of your devices support 802.11w. In that case enable the Required option to protect all those devices. On the other hand if you discovered that only a few devices are complaint I would suggest the Optional setting. This option will protect the 802.11w clients from the denial-of-service attack but the non-compliant device it will not be protected.

The 802.11w protocol also protects a set of robust management frames. These include Disassociation, De-authentication and Robust Action frames.

Spectrum Management Fast BSS Transition Vendor-specific Protected
QoS Block Ack
DLS Protected Dual of Public Action
Radio Measurement SA Query


So did that advertisement convince me to run out to the store that day and buy a new RF blocking wallet? No. However, I might get suspicious the next time I am in a crowed elevator. It is a good thing I will have my tin foil hat on.

Resource: Cisco Enterprise Mobility 8.1 Design Guidehttp://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide.html