Home » Cisco » 300-375 » What is the cause of this issue?
MFP is enabled globally on a WLAN with default settings on a single controller wireless network. Older client devices are disconnected from the network during a deauthentication attack. What is the cause of this issue?
A. The client devices do not support WPA
B. The client devices do not support CCXv5.
C. The MFP on the WLAN is set to optional.
D. The NTP server is not configured on the controller.
Correct Answer: C
Explanation/Reference:
Explanation: Client MFP shields authenticated clients from spoofed frames, which prevents the effectiveness of many of the common attacks against wireless LANs. Most attacks, such as deauthentication attacks, revert to simply degraded performance when they contend with valid clients. Specifically, client MFP encrypts management frames sent between access points and CCXv5 clients so that both access points and clients can take preventive action and drop spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect these types of class 3 unicast management frames: disassociation, deauthentication, and QoS (WMM) action. Client MFP can protect a client-access point session from the most common type of denial-of-service attack. It protects class 3 management frames with the same encryption method used for the data frames of the session. If a frame received by the access point or client fails decryption, it is dropped, and the event is reported to the controller.
In order to use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP. EAP or PSK can be used to obtain the PMK. CCKM and controller mobility management are used to distribute session keys between access points or Layer 2 and Layer 3 fast roaming.
Reference: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82196-mfp.html
If anybody disagrees please say so but this is my thoughts:-
I think B
MFP Options are:-
Disabled – this means no MFP so that is not any use
Optional – this is the default (all clients can associate) and this is the setting in this scenario here
Required – this requires ALL clients to be CCXv5 and configured for WPA 2 otherwise the cannot connect at all
So with this in mind:-
B. The client devices do not support CCXv5. – yes, these old ones will be disconnected without the CCXv5 (MFP) support to protect them
C. The MFP on the WLAN is set to optional. – YES, MFP optional is the default when you enable MFP. But what other setting can prevent the old non CCXv5 clients being disconnected and still have MFP for the newer clients? NONE
I think the answer should be B. The main reason those older clients are disconnected is that they don’t support CCXv5!
If the MFP is set to OPTIONAL the devices that SUPPORT and devices that DO NO SUPPORT can connect on the WLAN however in a event of a de-auth attack the devices that do not support CCXv5 will be disconnected. So the correct answer is C.
This is a horrible question
The client devices do not support CCXv5. – Correct, older devices wont support CCXv5 and if the SSID was configured for MFP of optional these devices would diconnect in the event of a de-auth attack.
C. The MFP on the WLAN is set to optional. – Oh look, another right answe and it’s a default! MFP has been set to optional becaus the older devices do not support MFP.
I would go with B purely because MFP optional is a default. Answer C and B are always going to conflict. if answer C was “Disabled” It would be clear cut.
correct answer is B; MFP is by default optional, if it were required older clients (non-CCXv5) could not authenticate to the WLAN in the first place