Microsoft will launch Windows 8 in late October. Along with a slew of other features, it will be among the first to support the 802.11w standard to protect Management Frames for client devices on Wi-Fi networks.
Customers running old Cisco unified releases (between 4.2 to 7.2) in local, Flex or mesh mode will run into an interoperability bug (CSCua29504, to be exact) that prevents 802.11w enabled clients from connecting to a Cisco WLAN with Management Frame Protection (MFP) enabled. This bug does not affect customers running autonomous access point deployments or customers running Cisco unified releases older than 4.2.
What are the possible solutions for you?
1. Please upgrade your production environment to one of the following releases, which will interoperate with Windows 8.
2. Roll back to pre-windows 8 drivers as identified in the Microsoft Knowledge Base article.
3. Fall back to TKIP
4. Sign up for a beta release for Cisco’s upcoming feature release 7.4 (beta available now!) that supports the 802.11w feature in local mode.
What is 802.11w ?
802.11w is an IEEE standard based on Cisco’s Management Frame Protection(MFP), a feature that was first supported on autonomous access points in release 12.3(8)JA in 2006 and in the unified release 18.104.22.168 in 2008. 802.11w isn’t a new standard. IEEE ratified the 802.11w standard in 2009, however the adoption has been slow to date, but that is expected to change with Windows 8.
The WFA has announced that it will position the Protected Management Frame interoperability certification program as a feature update to its Wi-Fi Protected Access(WPA2) program.
Why do I care about 802.11w ?
I joined Cisco Wireless Networking Business Unit (WNBU) early 2006 as a Product Manager for Autonomous Access Points and the first software release that I managed was the 12.3(8)JA. One of the coolest features in that release was a Cisco innovation around protecting management frames. As many of you may know, 802.11 frames such as Authenticate, De-authenticate, Associate, Dis-associate are sent in the clear (a.k.a. in an unsecured manner). This could allow a potential attacker to spoof management frames from a valid device and run Denial of Service (DOS) attack by sending de-authenticate/disassociate frames.
When MFP is enabled, the sending device adds a cryptographic hash to create a message integrity check (MIC) and embeds that within the Information Element (IE) of every management frame. Thus when another device in the network receives the frame, it is able to verify that the authenticity of the source. In case a single invalid frame is received on the network, it will be dropped, as well as, an Intrusion Detection System alert will be received - this means zero day protection!
What about clients that don’t support 802.11w ?
There are two components to Management Frame Protection:
- Infrastructure MFP: When the wireless Controller and Access point infrastructure support the 802.11w capability, any frames from a hacker masquerading as an infrastructure AP and attempting to communicate with other APs will be dropped.
- Client MFP: When a client ALSO supports this feature; it is able to secure communications with the infrastructure. This means any frames from a hacker masquerading as an infrastructure AP and sending disconnect messages to the clients will be dropped.
So what’s the bottom-line?
To enable that your network is ready for 802.11w and Windows 8 ensure that you are running the latest Cisco Unified releases in your wireless controller network.
For more information, visit https://supportforums.cisco.com/docs/DOC-27213