Cisco Client Management Frame Protection is running on a mobility group with two controllers.
Which two MFP requirements protect the network? (Choose two.)
A . forces clients to authenticate, using a secure EAP method only
B . implements the validation of wireless management frames
C . requires Cisco Compatible Extensions v5
D . requires the use of a nonbroadcast SSID
E . requires Cisco Compatible Extensions v4
Answer: BC
Explanation:
Client MFP encrypts class 3 management frames sent between APs and Cisco Compatible Extension version 5 (CCXv5) –capable client stations, so that both AP and client can take preventive action by dropping spoofed class 3 management frames (management frames) that are passed between an AP and a client station that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect class 3 unicast management frames. The unicast cipher suite that is negotiated by the STA in the reassociation request’s Robust Security Network Information Element (RSNIE) is used to protect both unicast data and class 3 management frames. An AP in workgroup bridge mode, repeater mode, or no-root bridge mode must negotiate either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) to use Client MFP.
Management Frame Protection operation requires a wireless domain service (WDS). MFP is configured at the wireless LAN solution engine (WLSE), but you can manually configure MFP on an AP and WDS.
http://www.cisco.com/c/en/us/td/docs/routers/access/3200/software/wireless/3200WirelessConfigGuide/ ManageFrameProt.html