In my experience this is a feature of wireless networks that’s been largely forgotten/ignored, and I’m not sure why. It seems that making PMF optional by default would have zero downsides: protect the devices that support it while maintaining compatibility with older devices. Question for anyone more knowledgeable on the subject: is there a good reason PMF doesn’t have wider adoption?
I run a small time wireless network for a business (about 100 concurrent clients at any given time), I had to disable PMF because some devices simply wouldn't work.
Edit: also, from my notes at setup time, some devices could connect but then had trouble roaming.
Typical deauth attacks are prevented, sure. However, clients are not protected until the 4-way handshake is complete, so that can still be interrupted. There are also a number of management frame types (and all control frames) that are not protected, some of which are just as effective, if not more effective, at DoS than deauth frames are.
When enabling WPA 3 for a network PMF is set to required by the unifi network server apparently, that’s a nice change.
I'm not a network admin. Can anyone recommend a resource for establishing basic, solid Unifi configuration and security.
This is supported by QC from 2017 I belive.
What is QC referring to here? I’d appreciate a quick liner, thanks!
Takes me back over a decade ago, working for a manufacturer that used a “Wi-Fi setup network” on many of their products, I started encountering early versions of “WIPS” (wireless intrusion prevention systems) that would leverage these deauth techniques in TIFA to prevent connection to rogue (read: our) Wi-Fi networks.
That might sound fine at first glance, so here’s a common scenario we’d have:
During a renovation on a high-rise building BigCorp that still occupies office space on that floor, is happily (unknowingly/uncaringly) spamming deauths and even spoofing our BSSID and to our field techs it would generally just look like “incorrect password”
I wrote a long internal bulletin about it, mostly geared towards helping our techs identifying the issue (with varying levels of networking knowledge) and getting to someone in IT to help.
This is the easy wire shark proof if you suspect it:
#filter for deauthentication frames `(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)` Especially looking for a reason code of 2 `Previous authentication no longer valid.`
Is this actually legal to do? Sounds like jamming.
Cisco wireless LAN controllers used to have this feature built in. In some release they removed it.