What is the cause of this issue?

MFP is enabled globally on a WLAN with default settings on a single controller wireless network. Older client devices are disconnected from the network during a
deauthentication attack. What is the cause of this issue?

A.
The client devices do not support WPA

B.
The client devices do not support CCXv5.

C.
The MFP on the WLAN is set to optional.

D.
The NTP server is not configured on the controller.

Explanation:
Client MFP shields authenticated clients from spoofed frames, which prevents the effectiveness of many of the common attacks against wireless
LANs. Most attacks, such as deauthentication attacks, revert to simply degraded performance when they contend with valid clients.
Specifically, client MFP encrypts management frames sent between access points and CCXv5 clients so that both access points and clients can take preventive
action and drop spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and
associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect these types of class 3 unicast management frames: disassociation,
deauthentication, and QoS (WMM) action. Client MFP can protect a client-access point session from the most common type of denial-of-service attack. It protects
class 3 management frames with the same encryption method used for the data frames of the session. If a frame received by the access point or client fails
decryption, it is dropped, and the event is reported to the controller.
In order to use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP. EAP or PSK can be used to obtain the
PMK. CCKM and controller mobility management are used to distribute session keys between access points or Layer 2 and Layer 3 fast roaming.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82196-mfp.html