802.11w on open SSID

  • 2
  • Question
  • Updated 3 years ago
Is there a way to enable 802.11w on an open SSID?

We've had a security audit done, and the ability to "hijack" guest users was one of the results of that audit.

We don't have the issue on our encrypted SSID's....

In configuration I do not see a way (via gui) to enable that option....Seems to me, open or not, the option should somehow be possible.

Beyond encryption, what other options are there to protect from this kind of behavior when you're forced to offer an open SSID access?
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 2
Photo of Matthew Gast

Matthew Gast

  • 284 Posts
  • 63 Reply Likes
No, there's not.  802.11w uses the pre-master key (PMK) from the authentication exchange to derive the integrity key.  No pre-shared passphrase or 802.1X exchange, no PMK, and no key for 802.11w to use.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
ah well....

It was a thought...

Thanks!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
No, it is conceptually impossible to offer 802.11w, protected management frames, with an open SSID due to its very nature.

You simply need to not be using open SSID to protect clients from hijacking.

There are far bigger hijacking problems with an open SSID to worry about long before thinking about protecting management frames.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Matthew has beaten me to the post. I started writing this before his answer had appeared.
Photo of Matthew Gast

Matthew Gast

  • 284 Posts
  • 63 Reply Likes
For once, I actually can beat you to a Wi-Fi question because I'm a time zone east of you.  Rather than being at Nick -8 hours, I'm at Nick +1 hours!
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
Guest network is not connected to production network --- so, only real issues are related to user to user situations.  Own subnet, own vlan....

We cannot use traditional methods to secure the "guest" network....  It's not an option *I* have a say in.

I was looking to see if it was an option.... clearly it's not, and I didn't really think it was, but had to ask anyways.