Client MFP encrypts class 3 management frames sent between APs and Cisco Compatible Extension version 5 (CCXv5) --capable client stations, so that both AP and client can take preventive action by dropping spoofed class 3 management frames (management frames) that are passed between an AP and a client station that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect class 3 unicast management frames. The unicast cipher suite that is negotiated by the STA in the reassociation request's Robust Security Network Information Element (RSNIE) is used to protect both unicast data and class 3 management frames. An AP in workgroup bridge mode, repeater mode, or no-root bridge mode must negotiate either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) to use Client MFP. Management Frame Protection operation requires a wireless domain service (WDS). MFP is configured at the wireless LAN solution engine (WLSE), but you can manually configure MFP on an AP and WDS.