SonicOS 7.0 Access Points
- SonicOS7.0
- About Access Points
- Settings
- Synchronize Access Points
- Provisioning Overview
- Creating/Modifying Provisioning Profiles
- Adding/Editing a Provisioning Profile - Getting Started
- General Settings for Provisioning Profiles
- 5GHz/2.4GHz Radio Basic Settings for Provisioning Profiles
- 5GHz/2.4GHz Radio Advanced Settings for Provisioning Profiles
- Sensor Settings for WIDP in Provisioning Profiles
- Mesh Network Settings for Provisioning Profiles
- 3G/4G/LTE WWAN Settings for Provisioning Profiles
- Bluetooth LE Settings for Provisioning Profiles
- Deleting Access Point Profiles
- Product Specific Configuration Notes
- Managing Access Point Objects
- Firmware Management
- Floor Plan View
- Station Status
- Intrusion Detection Services
- Advanced IDP
- Packet Capture
- Virtual Access Points
- RF Monitoring
- RF Analysis
- RF Spectrum
- FairNet
- Wi-Fi Multimedia
- 3G/4G/LTE WWAN
- Bluetooth LE Devices
- Radio Management
- SonicWall Support
Protected Management Frames (PMF Option)
In the Wireless Security section, when Authentication Type is set to any WPA2 option, the PMF Option setting becomes available. The PMF Option setting is supported for SonicWave profiles. This feature supports the IEEE 802.11w-2009 amendment to the IEEE 802.11 standard for protection of wireless management frames. It is also known as the Protected Management Frames (PMF) standard.
You can select one of the following settings from the PMF Option drop-down menu under Wireless Security:
- Disabled – The service is not enabled. Clients connect without PMF.
- Enabled – The service is optional for wireless clients. Clients can connect with or without PMF, based on client settings.
- Required – Clients must have PMF enabled to connect.
While the 802.11i amendment protects data frames, management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, if an attacker obtains the MAC address of a client, it can send a disassociation request to the client in the name of an AP, or send a re-association request to an AP in the name of the client. The client is logged off in either situation.
The 802.11w amendment applies to a set of robust management frames that are protected by the Protected Management Frames (PMF) service. These include Disassociation, De-authentication, and Robust Action frames. 802.11w protects only specific management frames and does not affect the communication between access points and clients. 802.11w can only take effect when both access points and clients have 802.11w enabled.
802.11w provides the following benefits:
Confidentiality | Encrypts Unicast management frames: |
Uses same PTK as for data frames | |
Protects the previously unencrypted frame header through additional authentication data (AAD) | |
Extended AES-CCM to handle Unicast management frames | |
Separate Receive Sequence Counter (RSC) for replay protection | |
Group addressed frame protection | Broadcast/Multicast Integrity Protocol (BIP) protects the integrity of broadcasts and multi casts, prevents replay attacks, and protects clients from spoofing broadcast/multicast attacks. For Broad-/Multi casts Management Frames: |
Uses new Integrity Group Temporal Key (IGTK) received during WPA key handshake | |
New Algorithm: Broadcast Integrity Protocol (BIP) | |
New Information Element: Management MIC IE with Sequence Number + Cryptographic Hash (AES128-CMAC-based) | |
Connection protection<![CDATA[ ]]> | Security Association (SA) Query can prevent clients from going offline caused by spoofing re-association requests. |
Was This Article Helpful?
Help us to improve our support portal