Which two statements are not correct about client MFP? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AD.
Client MFP (Management Frame Protection) is a security feature that provides integrity and confidentiality protection for wireless management frames between an 802.11 client and an access point. Here are the explanations for the two incorrect statements about client MFP:
A. Client MFP can replace infrastructure MFP if only CCXv5 clients are used. This statement is not correct. Client MFP is a complementary feature to infrastructure MFP. Infrastructure MFP protects management frames between access points and infrastructure devices such as wireless LAN controllers. Client MFP, on the other hand, protects management frames between a client device and the access point. Both infrastructure MFP and client MFP are required for end-to-end management frame protection. Therefore, client MFP cannot replace infrastructure MFP, even if only CCXv5 clients are used.
D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication. This statement is also not correct. Pre-user MFP encryption keys are generated by the access point and distributed to the client device during the 4-way handshake process of the WPA2-PSK or WPA2-EAP authentication process. The pre-user keys are used to protect unicast management frames. In addition to EAP authentication, pre-user keys can also be obtained through PSK authentication. Therefore, the only supported method to obtain the pre-user MFP encryption keys is not EAP authentication.
The other three statements are correct:
B. Client MFP encrypts class 3 unicast management frames using the security mechanisms defined by 802.11i. This statement is correct. Class 3 management frames are used for important WLAN management functions such as association, authentication, and deauthentication. Client MFP encrypts these frames using the same security mechanisms defined by 802.11i for data frames, such as AES-CCMP or TKIP.
C. In order to use client MFP, the client must support CCXv5 and negotiate WPA2 with AES-CCMP or TKIP. This statement is correct. Client MFP is a Cisco proprietary feature that requires both the access point and the client device to support CCXv5. In addition, the access point and the client device must negotiate WPA2 with AES-CCMP or TKIP encryption for management frames.
E. The CCXv5 client and access points must discard broadcast class 3 management frames. This statement is also correct. Client MFP only provides protection for unicast management frames, not broadcast frames. Therefore, CCXv5 clients and access points must discard broadcast class 3 management frames to prevent unauthorized access to WLAN management functions.