During a wireless penetration test you demonstrate that sending a high-rate sequence of forged deauthentication frames with aireplay-ng can repeatedly knock employees off the company's WPA2-Enterprise 802.11n network. Management asks for a technical safeguard that will specifically block this kind of attack without depending on user training or manual monitoring. Which countermeasure is most appropriate?
Disable SSID broadcasting so attackers cannot discover the network.
Replace WPA2-Enterprise with WPA2-PSK using a complex shared passphrase.
Implement strict MAC address filtering for all authorized wireless clients.
Enable IEEE 802.11w protected management frames on every access point.
A deauthentication attack abuses the fact that 802.11 management frames (such as deauth and disassociation) are neither encrypted nor authenticated in legacy Wi-Fi. Attackers can spoof the AP's MAC address and forcibly disconnect clients, causing a denial of service or luring stations to rogue APs. Enabling IEEE 802.11w Protected Management Frames (PMF) adds cryptographic protection and integrity checking to these management frames, so clients will ignore forged deauth packets. Disabling SSID broadcast or using MAC filtering offers little real security because attackers can still capture traffic and spoof addresses. Switching to WPA2-PSK does nothing to stop spoofed management frames and actually weakens authentication compared to WPA2-Enterprise. Therefore, deploying 802.11w/PMF on all access points is the most effective built-in countermeasure against deauthentication floods.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are IEEE 802.11w Protected Management Frames (PMF)?