Protected Management Frames

Learn about the significance of IEEE 802.11w Protected Management Frames in Wi-Fi networks, enhancing security by providing data integrity for and protecting a subset of management frame exchanges from potential attacks.

The IEEE 802.11w-2009 amendment (now part of IEEE 802.11-2020) introduced Protected Management Frames (PMF) which addresses the protection of robust management frames. Prior to WPA3 and Enhanced Open, most management frames are not encrypted. Since Wi-Fi is a broadcast medium, any device can eavesdrop or participate as a legitimate or rogue client. Securing management frames also is equally important as data frames. Without PMF, all management frames are sent unprotected in the open. PMF protects a set of robust management frames and augments privacy protections already in place for data frames (802.11i). WPA3 and Enhanced Open require use of PMF.

PMF is also referred to as Management Frame Protection (MFP). When discussing whether Protected Management Frames are optional or required, the terms MFPR (required) and MFPC (capable) will be used. Their configuration options are discussed below. Throughout the security mode sections the terms PMF and MFP may be used interchangeably. In the context of HPE Aruba Networking, these terms mean the same thing.

Three possible configurations exist for Protected Management Frames:

Configuration Parameters PMF Capable Client Non-PMF Client
Disabled MFPR=0/MFPC=0 No benefit No benefit
Capable (Optional) MFPR=0/MFPC=1 Protection benefit No benefit
Mandatory (Required) MFPR=1/MFPC=1 Protection benefit Cannot connect

Protected Management Frames help secure robust management frames against various attacks. The key security objective is to protect against passive eavesdropping, prevent forgery of unicast and multicast action frames, allow replay detection, and prevent stations from masquerading as another station.

PMF protects against forged disassociation and de-authentication frames post association.

Example of a client dropping an unprotected deauthentication frame.

Examples of protected robust action frames include:

  • Channel Switch Announcements
  • QoS
  • ADDBA Negotiation
  • Block ACK
  • Radio Measurement
  • Security Association (QA) Query
  • Wireless Network Management

Support for Protected Management Frames is advertised in the RSN Capabilities of the RSNE which can be found in beacons, probe responses, and association responses.

RSN Capabilities example showing Management Frame Protection Required and Capable parameters set to enabled (MFPR=1 and MFPC=1).

AOS specifics:

  • PMF is not user configurable for WPA3 or Enhanced Open security modes. MFPR (Required) and MFPC (Capable) configuration is automatic.

Last modified: March 4, 2024 (aef6136)