How to configure PMF on Omada Controller

This article applies to Omada EAPs except EAP110-OutdoorV3/V4,EAP115-Bridge V1,EAP110V4,EAP115V5, EAP690E HD V1, EAP225-Wall V2.

PMF (Protected Management Frames), a standard in the IEEE 802.11w protocol developed by the Wi-Fi Alliance, aims to enhance the security of Wi-Fi connections. It provides unicast and multicast management, and improves security through protecting wireless network management frames, thus solving the problem of malicious attacks caused by disassociation and deauthentication frames.

Follow the steps below to configure PMF on Omada Controller. (PMF configuration is supported only on the Omada Controller, not currently supported in Standalone mode or on the App.)

1. Create a new SSID on the Wireless Networks > WLAN page, as shown in the figure below. The default encryption method is WPA2, and the status of PMF is Disable, indicating that PMF is disabled.

2. To enable the PMF function, choose Mandatory or Capable according to the network security needs. Mandatory requires PMF encryption on the clients; otherwise, the device will not be associated. Capable supports associations with clients that do not support PMF.

Please note that when Mandatory is selected, non-PMF-capable clients may fail to connect to the network.

3. When you select 6GHz or select WPA3 encryption, Disable for PMF status is not selectable. The default status will be Capable to be compatible with clients that do not support PMF.

Notes:

1. Management frames for configuring PMF encryption includes disassociation frames, deauthentication frames and Robust Action frames (Spectrum Management, QoS, DLS, Block Ack, Radio Measurement, Fast BSS Transition, SA Query, Protected Dual of Public Action, Vender-specific Protected). You can check the effect by capturing packets. The above management frames will be in an encrypted state, and MFPR (Management Frame Protection Required) and MFPC (Management Frame Protection Capable) will be added to the RSN capabilities of the RSN (Robust Security Network) information element to negotiate the ability to protect management frames. The frame format of RSN capabilities is as shown in the figure: when MFPR is set to 1, it indicates that management frame protection is mandatory, while 0 indicates that management frame protection is not mandatory. When MFPC is set to 1, it indicates that management frame protection is supported, while 0 indicates unsupported. When this function is enabled, attackers will not be able to destroy the connection by sending disassociation and deauthentication frames, and protected management frames can effectively resist attacks caused by deauthentication/disassociation frames, providing reliable technical support to secure wireless LAN access and strong identity authentication.

2. If the client does not support the PMF function, the SSID for configuring PMF function cannot be associated with. When the client cannot be associated with the SSID, you can first change the encryption method to WPA2 and configure PMF to Disable, and try client connection again.

3. PMF is supported by Omada EAPs except EAP110-OutdoorV3/V4,EAP115-Bridge V1,EAP110V4,EAP115V5, EAP690E HD V1, EAP225-Wall V2.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.