Which of the following statements are not correct about Client Management Frame Protection
(MFP)? (Choose 2.)
A.
Client MFP can replace Infrastructure MFP in case only CCXv5 clients are used.
B.
Client MFP encrypts class 3 Unicast management frames using the security mechanisms
defined by 802.11i.
C.
In order to use Client MFP the client must support CCXv5 and negotiate WPA2 with AES
CCMP or TKIP.
D.
The only supported method to obtain the pre-user MFP encryption keys is EAP authentication.
E.
CCXv5 client and access points must discard broadcast class 3 management frames.
Management Frame Protection (MFP) is a method used to increase the security of the 802.11 management frames that are otherwise unencrypted.
The WLC supports two different kinds of MFP:
■ Infrastructure MFP: This MFP protects the Class 1 and 2 management frames originated by the access points. It adds Message Integrity Check Information Elements (MIC-IE) to the management frames that are then validated by other APs in the network.
Client MFP: This MFP reduces the impact of the Class 1, 2, and 3 802.11 management-driven attacks, such as deauthentication floods, by means of encrypting the management frames exchanged between the APs and Cisco Compatible Extensions version 5 (CCXv5)-compliant clients.
The two MFP implementations are not redundant, and you can in fact use them together because although Client MFP provides enhanced security for the compatible clients after they are already associated and authenticated, Infrastructure MFP will still report invalid management traffic sent to clients that are not Client MFP compliant, as well as the Class 1 and 2 management traffic.