SonicOS 7.0 Access Points

Protected Management Frames (PMF Option)

In the Wireless Security section, when Authentication Type is set to any WPA2 option, the PMF Option setting becomes available. The PMF Option setting is supported for SonicWave profiles. This feature supports the IEEE 802.11w-2009 amendment to the IEEE 802.11 standard for protection of wireless management frames. It is also known as the Protected Management Frames (PMF) standard.

You can select one of the following settings from the PMF Option drop-down menu under Wireless Security:

  • Disabled – The service is not enabled. Clients connect without PMF.
  • Enabled – The service is optional for wireless clients. Clients can connect with or without PMF, based on client settings.
  • Required – Clients must have PMF enabled to connect.

While the 802.11i amendment protects data frames, management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, if an attacker obtains the MAC address of a client, it can send a disassociation request to the client in the name of an AP, or send a re-association request to an AP in the name of the client. The client is logged off in either situation.

The 802.11w amendment applies to a set of robust management frames that are protected by the Protected Management Frames (PMF) service. These include Disassociation, De-authentication, and Robust Action frames. 802.11w protects only specific management frames and does not affect the communication between access points and clients. 802.11w can only take effect when both access points and clients have 802.11w enabled.

802.11w provides the following benefits:

Confidentiality Encrypts Unicast management frames:
Uses same PTK as for data frames
Protects the previously unencrypted frame header through additional authentication data (AAD)
Extended AES-CCM to handle Unicast management frames
Separate Receive Sequence Counter (RSC) for replay protection
Group addressed frame protection Broadcast/Multicast Integrity Protocol (BIP) protects the integrity of broadcasts and multi casts, prevents replay attacks, and protects clients from spoofing broadcast/multicast attacks. For Broad-/Multi casts Management Frames:
Uses new Integrity Group Temporal Key (IGTK) received during WPA key handshake
New Algorithm: Broadcast Integrity Protocol (BIP)
New Information Element: Management MIC IE with Sequence Number + Cryptographic Hash (AES128-CMAC-based)
Connection protection<![CDATA[ ]]> Security Association (SA) Query can prevent clients from going offline caused by spoofing re-association requests.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden