How to configure PMF (Protected Management Frames) on Omada Controller

User Application Requirement
Updated 06-17-2024 20:22:10 PM FAQ view icon13758
This Article Applies to: 

This article applies to Omada EAPs except EAP110-OutdoorV3/V4, EAP115-Bridge V1, EAP110V4, EAP115V5, EAP690E HD V1, EAP225-Wall V2.

PMF (Protected Management Frames), a standard in the IEEE 802.11w protocol developed by the Wi-Fi Alliance, aims to enhance the security of Wi-Fi connections. It provides unicast and multicast management and improves security by protecting wireless network management frames, thus solving the problem of malicious attacks caused by disassociation and de-authentication frames.

Follow the steps below to configure PMF for the Omada Controller. (PMF configuration is supported only on the Omada Controller and is not currently supported in Standalone mode or on the App.)

1. Create a new SSID on the Wireless Networks > WLAN page, as shown in the figure below. The default encryption method is WPA2, and the status of PMF is Disable, indicating that PMF is disabled.

2. To enable the PMF function, choose Mandatory or Capable according to the network security needs. Mandatory requires PMF encryption on the clients; otherwise, the device will not be associated. Capable supports associations with clients that do not support PMF.

Please note that when Mandatory is selected, non-PMF-capable clients may fail to connect to the network.

3. When you select 6GHz or select WPA3 encryptionDisable for PMF status is not selectable. The default status will be Capable in order to be compatible with clients that do not support PMF.

Notes:

  1. Management frames for configuring PMF encryption include disassociation frames, de-authentication frames, and Robust Action frames (Spectrum Management, QoS, DLS, Block Ack, Radio Measurement, Fast BSS Transition, SA Query, Protected Dual of Public Action, Vender-specific Protected). You can check the effect by capturing packets. The above management frames will be in an encrypted state, and MFPR (Management Frame Protection Required) and MFPC (Management Frame Protection Capable) will be added to the RSN capabilities of the RSN (Robust Security Network) information element to negotiate the ability to protect management frames.
  2. The frame format of RSN capabilities is as shown in the figure: when MFPR is set to 1, it indicates that management frame protection is mandatory. In contrast, 0 indicates that management frame protection is not mandatory. When MFPC is set to 1, it indicates that management frame protection is supported, while 0 indicates unsupported. When this function is enabled, attackers will not be able to destroy the connection by sending disassociation and de-authentication frames, and protected management frames can effectively resist attacks caused by de-authentication/disassociation frames, providing reliable technical support to secure wireless LAN access and strong identity authentication.

2. If the client does not support the PMF function, the SSID for configuring the PMF function cannot be associated with it. When the client cannot be associated with the SSID, you can first change the encryption method to WPA2, configure PMF to Disable, and try the client connection again.

3. PMF is supported by Omada EAPs except EAP110-OutdoorV3/V4, EAP115-Bridge V1, EAP110V4, EAP115V5, EAP690E HD V1, EAP225-Wall V2.

To learn more about each function and configuration, please go to the Download Center to download the manual of your product.

 

Looking for More

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >