How to Verify PMF Is Really Enforced

PMF looks “enabled” in many dashboards while clients silently fall back. Use this checklist to verify actual enforcement.

1. Policy check: Ensure sensitive SSIDs are set to PMF required, not optional.
2. Client matrix: Validate each managed client profile against required PMF behavior.
3. Association logs: Confirm AP logs show PMF-negotiated associations, not mixed fallback.
4. Negative tests: Attempt association with a known PMF-incompatible lab client and verify rejection.
5. Roaming check: Confirm PMF posture persists during roaming and fast transition workflows.
6. Alerting: Generate alert on any non-PMF association to protected SSIDs.

Myth vs reality

Myth: “PMF optional is close enough.”
Reality: Optional often leaves the weakest path available.

Validation criteria

• All in-scope clients negotiate PMF on target SSIDs.
• Incompatible clients are denied or redirected by policy.
• Monitoring detects and reports non-compliant association attempts.