During an authorized wireless security assessment, I was able to transmit 802.11 deauthentication frames toward a target client and observed that the frames were acknowledged at the 802.11 layer (ACK received).

However, no persistent client disconnection was observed during testing.

The network configuration appears to be:

WPA2-Enterprise (CCMP/AES)

2.4 GHz and 5 GHz enabled

802.11w (Protected Management Frames) status not yet confirmed

My question is about correct technical classification:

Since 802.11 management frames are historically unprotected, is the ability to transmit deauthentication frames at RF level simply expected behavior?

If PMF (802.11w) is not enforced, is this considered a design characteristic rather than a vulnerability?

If client disconnection is not reproducibly observed, can this scenario reasonably be classified as a security vulnerability?

Should this be treated as a configuration hardening recommendation (enforce PMF) instead of a confirmed finding?

I am trying to correctly understand this from a standards and security-model perspective rather than from an exploit-development standpoint.