Which two MFP requirements protect the network?

Client MFP encrypts class 3 management frames sent between APs and Cisco Compatible Extension version 5 (CCXv5) —capable client stations, so that both AP and client can take preventive action by dropping spoofed class 3 management frames (management frames) that are passed between an AP and a client station that is authenticated and associated).

Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect class 3 unicast management frames.

In 802.11, management frames such as (de)authentication, (dis)association, beacons, and probes are always unauthenticated and unencrypted. In other words, 802.11 management frames are always sent in an unsecured manner, unlike the data traffic, which are encrypted with protocols such as WPA, WPA2, or, at least, WEP, and so forth.

This allows an attacker to spoof a management frame from the AP to attack a client that is associated to an AP. With the spoofed management frames, an attacker can perform these actions:
Run a Denial of Service (DOS) on the WLAN
Attempt a Man in the Middle attack on the client when it reconnects
Run an offline dictionary attack
MFP overcomes these pitfalls when it authenticates 802.11 management frames exchanged in the wireless network infrastructure.

These are the components of Infrastructure MFP:

Management frame protection—When management frame protection is enabled, AP adds message integrity check information element (MIC IE) to each management frame it transmits. Any attempt to copy, alter, or replay the frame invalidates the MIC. An AP, which is configured to validate MFP frames receives a frame with invalid MIC, reports it to the WLC.

Management frame validation—When management frame validation is enabled, the AP validates every management frame that it receives from other APs in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID that belongs to an AP, which is configured to transmit MFP frames, it reports the discrepancy to the network management system.
Note: In order for the timestamps to operate properly, all WLCs must be Network Time Protocol (NTP) synchronized.

Event reporting—The access point notifies the WLC when it detects an anomaly. WLC aggregates the anomalous events and reports it through SNMP traps to the network manager.

Infrastructure MFP Functionality

With MFP, all management frames are cryptographically hashed to create a Message Integrity Check (MIC). The MIC is added to the end of the frame (before the Frame Check Sequence (FCS)).
In a centralized wireless architecture, infrastructure MFP is enabled/disabled on the WLC (global config). Protection can be selectively disabled per WLAN, and validation can be selectively disabled per AP.
Protection can be disabled on the WLANs that are used by devices that cannot cope with extra IEs.

With MFP globally enabled, the WLC generates a unique key for every AP / WLAN that is configured for MFP. WLCs communicate within themselves so that all WLCs know the keys for all the APs/BSSs in a mobility domain.

When an AP receives a MFP protected frame for a BSS that it does not know about, it buffers a copy of the frame and queries the WLC to get the key.
If the BSSID is not known on the WLC, it returns the message “Unknown BSSID” to the AP, and the AP drops the management frames received from that BSSID.
If the BSSID is known on the WLC, but MFP is disabled on that BSSID, the WLC returns a “Disabled BSSID.” The AP then assumes that all management frames received from that BSSID do not have an MFP MIC.
If the BSSID is known and has MFP enabled, the WLC returns the MFP Key to the requesting AP (over the AES encrypted LWAPP management tunnel).
The AP caches keys received in this way. This key is used to validate or add MIC IE.