Wireless Access

Hello,

We are debating whether to make Management Frame Protection mandatory on our WPA2 SSIDs as a security measure. But I am trying to get a sense of the effects this may have. I know that for older clients this can cause issues, but I don't know whether nowadays 'older' means pretty ancient and that devices less than (say) 5 years old should have no issues. I also read that there can be issues with 802.11r when 802.11w is enabled - is that still true? How much of a trade-off would making MFPs required be?

Note that we are a University so don't have full control over what is connecting to the network, there are a lot of BYOD devices, not to mention the usual mish-mash of IoT devices etc.

Any advice much appreciated.

Thanks,

Guy

-------------------------------------------

Is there a reason you'd look at making this change rather than implementing WPA3  with or without transition mode?

https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/features/pmf/

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Oct 17, 2025 06:15 AM
From: cauliflower
Subject: Management Frame protection

Hello,

We are debating whether to make Management Frame Protection mandatory on our WPA2 SSIDs as a security measure. But I am trying to get a sense of the effects this may have. I know that for older clients this can cause issues, but I don't know whether nowadays 'older' means pretty ancient and that devices less than (say) 5 years old should have no issues. I also read that there can be issues with 802.11r when 802.11w is enabled - is that still true? How much of a trade-off would making MFPs required be?

Note that we are a University so don't have full control over what is connecting to the network, there are a lot of BYOD devices, not to mention the usual mish-mash of IoT devices etc.

Any advice much appreciated.

Thanks,

Guy

-------------------------------------------

Is there a reason you'd look at making this change rather than implementing WPA3  with or without transition mode?

https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/features/pmf/

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Oct 17, 2025 06:15 AM
From: cauliflower
Subject: Management Frame protection

Hello,

We are debating whether to make Management Frame Protection mandatory on our WPA2 SSIDs as a security measure. But I am trying to get a sense of the effects this may have. I know that for older clients this can cause issues, but I don't know whether nowadays 'older' means pretty ancient and that devices less than (say) 5 years old should have no issues. I also read that there can be issues with 802.11r when 802.11w is enabled - is that still true? How much of a trade-off would making MFPs required be?

Note that we are a University so don't have full control over what is connecting to the network, there are a lot of BYOD devices, not to mention the usual mish-mash of IoT devices etc.

Any advice much appreciated.

Thanks,

Guy

-------------------------------------------

With WPA3 transition mode already enabled, all you'd do by forcing PMF (not sure that's even an option with WPA3 TM enabled) would be to give yourself a headache.  You're functionally forcing WPA3.

https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/wpa3-enterprise/#workaround

Is there a reason you'd look at making this change rather than implementing WPA3  with or without transition mode?

https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/features/pmf/

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Oct 17, 2025 06:15 AM
From: cauliflower
Subject: Management Frame protection

Hello,

We are debating whether to make Management Frame Protection mandatory on our WPA2 SSIDs as a security measure. But I am trying to get a sense of the effects this may have. I know that for older clients this can cause issues, but I don't know whether nowadays 'older' means pretty ancient and that devices less than (say) 5 years old should have no issues. I also read that there can be issues with 802.11r when 802.11w is enabled - is that still true? How much of a trade-off would making MFPs required be?

Note that we are a University so don't have full control over what is connecting to the network, there are a lot of BYOD devices, not to mention the usual mish-mash of IoT devices etc.

Any advice much appreciated.

Thanks,

Guy

-------------------------------------------