Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Protected Management Frames and Opportunistic Key Caching support

Protected Management Frames and Opportunistic Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap

edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer>

set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.

Protected Management Frames and Opportunistic Key Caching support

Protected Management Frames and Opportunistic Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap

edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer>

set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.