Understanding Beacon Frame Protection and Capturing WiFi 7 Management Frames
Zyxel Employee
With the ongoing rollout of WiFi 7 (802.11be) across Zyxel’s access points, new features have been introduced to improve security and enhance network diagnostics. One such feature is Beacon Frame Protection, which is automatically enabled on radios operating in 802.11be mode. In this article, we'll explain what beacon frame protection does, how it helps secure your network, and how to troubleshoot WiFi 7 management frames using remote capture.
Capturing WiFi 7 Management Frames with Remote Capture
Before diving into beacon protection, here’s a tip for those needing to analyze WiFi 7 management traffic for support or diagnostics.
Zyxel APs support a feature called Remote Capture, which allows you to collect wireless traffic directly from the air and forward it to a nearby PC running Wireshark. This is particularly useful because management frames (like beacons and probes) only exist on the wireless medium—they do not traverse Ethernet.
A Common Issue with Capturing WiFi 7 Frames
When capturing WiFi 7 management frames directly, users may encounter "malformed packets" in Wireshark. These packets are typically beacon frames containing WiFi 7-specific attributes, such as:
- Reduced Neighbor Report
- RSN Extension
- HE Capabilities
These malformed displays result from limitations in how current tools interpret WiFi 7 metadata—not necessarily from a defect in Zyxel APs.
Recommended Capture Setup
To properly capture WiFi 7 management frames:
- Deploy Two WiFi 7 APs:
- AP01: Provides WiFi service.
- AP02: Set to the same channel as AP01 for passive sniffing.
- Client Device:
- Connects to AP01 using WiFi 7.
- Wireshark PC:
- Connected via remote capture to AP02.
- Captures over-the-air traffic between the client and AP01.
This setup allows AP02 to observe beacon frames with full WiFi 7 attributes and forward them in real-time to the diagnostic PC.
What Is Beacon Frame Protection?
Beacon Frame Protection is a security enhancement introduced with 802.11be that helps protect clients from rogue AP spoofing and denial-of-service (DoS) attacks using falsified beacons.
How It Works
When enabled, a Message Integrity Code (MIC) is embedded within each beacon frame. Post-association clients use this MIC to verify that future beacons are indeed from the legitimate AP.
Key elements used to calculate the MIC:
- SSID Name
- BSSID (AP’s MAC address)
- Timestamp
- Sequence Number
- GTK (Group Temporal Key, obtained after association)
Why It Matters
With beacon frame protection:
- Clients reject spoofed beacons from rogue APs that try to mimic legitimate AP parameters but cannot generate valid MICs.
- Each MIC is dynamically generated based on the continuously updating timestamp and sequence number.
- Attackers cannot forge valid MICs unless they possess the GTK, which is only distributed during secure association.
Real-World Example
Let’s simulate a typical secure environment:
- AP broadcasts SSID “OfficeWiFi” with beacon frame protection enabled.
- Client associates and obtains the GTK.
- AP begins sending beacon frames with dynamic MICs.
- Rogue AP attempts to spoof the original beacon but lacks:
- Accurate timestamp and sequence number
- GTK for MIC generation
The client, detecting a mismatch in MIC, discards the spoofed beacon—preventing disruption or misinformation.
Compatibility and Client Impact
Good News: Non-WiFi 7 clients simply ignore the MIC field if they don’t support beacon frame protection.
This ensures no disruption to legacy devices or those connecting via older WiFi standards (e.g., 802.11n/ac/ax). The protection feature benefits only WiFi 7-capable clients and adds an extra layer of security without compromising backward compatibility.
Summary
Feature | Purpose | Impact |
|---|---|---|
Remote Capture | Captures WiFi 7 management frames via AP | Ideal for support/troubleshooting |
Beacon Frame Protection | Prevents spoofing of beacon frames | Secures WiFi 7 clients |
MIC Validation | Ensures frame authenticity | Works only if GTK is known |
Client Compatibility | MIC ignored by non-WiFi 7 clients | No connectivity issues |
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 278 Service & License
- 435 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight