Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   TKIP Michael MIC problems (http://www.velocityreviews.com/forums/t39870-tkip-michael-mic-problems.html)

Fernando Enriquez 06-30-2005 09:27 PM

TKIP Michael MIC problems
 
Hi everyone:

We've set up a complex installation for one client based on 40 Cisco
1200 & 1100 APs working as parent-repeater (we have some branches with
parent-repeater-repeater). We've deployed LEAP on APs and clients both.
Everything is working fine until any client changes from one AP to
another. When it starts to transmit traffic it gets blocked because of
MIC encryption error. The situation remains for a few minutes, when
suddenly encryption works again.

To minimize impact we have enables key-rotation every 20 seconds but the
problem remains and users aro not able to work properly.

To validate users we have installed freeradius with leap support. Radius
log shows that authentication is working fine (no errors)

This is a log excerpt of what happens when client 0040.96a7.c594
desassociates from AP 192.168.4.207 and associates to AP 192.168.4.200

> Jun 30 22:39:15 192.168.4.207 6552: *Mar 4 05:44:24.542: %DOT11-6-DISASSOC: Interface Dot11Ra
> dio0, Deauthenticating Station 0040.96a7.c594
> Jun 30 09:08:25 192.168.4.200 7178: *Mar 5 14:45:29.753: %DOT11-6-ASSOC: Interface Dot11Radio
> 0, Station ALMUDENAW2K 0040.96a7.c594 Associated KEY_MGMT[WPA]
> Jun 30 09:08:25 192.168.4.200 7179: *Mar 5 14:45:29.846: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Re
> ceived TKIP Michael MIC failure report from the station 0040.96a7.c594 on the packet (TSC=0x0)
> encrypted and protected by pairwise key.
> Jun 30 09:08:25 192.168.4.200 7180: *Mar 5 14:45:30.090: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Re
> ceived TKIP Michael MIC failure report from the station 0040.96a7.c594 on the packet (TSC=0x0)
> encrypted and protected by pairwise key.




Uli Link 07-01-2005 08:50 AM

Re: TKIP Michael MIC problems
 
Fernando Enriquez schrieb:
> Hi everyone:
>
> We've set up a complex installation for one client based on 40 Cisco
> 1200 & 1100 APs working as parent-repeater (we have some branches with
> parent-repeater-repeater). We've deployed LEAP on APs and clients both.
> Everything is working fine until any client changes from one AP to
> another. When it starts to transmit traffic it gets blocked because of
> MIC encryption error. The situation remains for a few minutes, when
> suddenly encryption works again.


It's a feature to block a station after a number of MIC failures.
But this should not happen with allowed, legitimate stations.


What's the fw and driver version of your clients?

For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.

What's the config of your APs? What's the IOS version on you APs?
The 350 series does not work with cipher set to TKIP+WEP (migration mode)

Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.

--
Uli


Fernando Enriquez 07-04-2005 03:15 PM

Re: TKIP Michael MIC problems
 
I updated FW on clients and APs both to latest versiones a couple of
weeks ago but problem persists.



Cipher is pure TKIP, not migration mode.



I will try WDS to see if using this the roaming gets smoother. I will
tell you.



Thanks a lot for your interest


Uli Link wrote:
> Fernando Enriquez schrieb:
>
>> Hi everyone:
>>
>> We've set up a complex installation for one client based on 40 Cisco
>> 1200 & 1100 APs working as parent-repeater (we have some branches with
>> parent-repeater-repeater). We've deployed LEAP on APs and clients
>> both. Everything is working fine until any client changes from one AP
>> to another. When it starts to transmit traffic it gets blocked because
>> of MIC encryption error. The situation remains for a few minutes, when
>> suddenly encryption works again.

>
>
> It's a feature to block a station after a number of MIC failures.
> But this should not happen with allowed, legitimate stations.
>
>
> What's the fw and driver version of your clients?
>
> For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.
>
> What's the config of your APs? What's the IOS version on you APs?
> The 350 series does not work with cipher set to TKIP+WEP (migration mode)
>
> Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
> For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.
>



All times are GMT. The time now is 01:51 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.