TKIP Michael MIC problems

Discussion in 'Cisco' started by Fernando Enriquez, Jun 30, 2005.

  1. Hi everyone:

    We've set up a complex installation for one client based on 40 Cisco
    1200 & 1100 APs working as parent-repeater (we have some branches with
    parent-repeater-repeater). We've deployed LEAP on APs and clients both.
    Everything is working fine until any client changes from one AP to
    another. When it starts to transmit traffic it gets blocked because of
    MIC encryption error. The situation remains for a few minutes, when
    suddenly encryption works again.

    To minimize impact we have enables key-rotation every 20 seconds but the
    problem remains and users aro not able to work properly.

    To validate users we have installed freeradius with leap support. Radius
    log shows that authentication is working fine (no errors)

    This is a log excerpt of what happens when client 0040.96a7.c594
    desassociates from AP 192.168.4.207 and associates to AP 192.168.4.200

    > Jun 30 22:39:15 192.168.4.207 6552: *Mar 4 05:44:24.542: %DOT11-6-DISASSOC: Interface Dot11Ra
    > dio0, Deauthenticating Station 0040.96a7.c594
    > Jun 30 09:08:25 192.168.4.200 7178: *Mar 5 14:45:29.753: %DOT11-6-ASSOC: Interface Dot11Radio
    > 0, Station ALMUDENAW2K 0040.96a7.c594 Associated KEY_MGMT[WPA]
    > Jun 30 09:08:25 192.168.4.200 7179: *Mar 5 14:45:29.846: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Re
    > ceived TKIP Michael MIC failure report from the station 0040.96a7.c594 on the packet (TSC=0x0)
    > encrypted and protected by pairwise key.
    > Jun 30 09:08:25 192.168.4.200 7180: *Mar 5 14:45:30.090: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Re
    > ceived TKIP Michael MIC failure report from the station 0040.96a7.c594 on the packet (TSC=0x0)
    > encrypted and protected by pairwise key.
     
    Fernando Enriquez, Jun 30, 2005
    #1
    1. Advertising

  2. Fernando Enriquez

    Uli Link Guest

    Fernando Enriquez schrieb:
    > Hi everyone:
    >
    > We've set up a complex installation for one client based on 40 Cisco
    > 1200 & 1100 APs working as parent-repeater (we have some branches with
    > parent-repeater-repeater). We've deployed LEAP on APs and clients both.
    > Everything is working fine until any client changes from one AP to
    > another. When it starts to transmit traffic it gets blocked because of
    > MIC encryption error. The situation remains for a few minutes, when
    > suddenly encryption works again.


    It's a feature to block a station after a number of MIC failures.
    But this should not happen with allowed, legitimate stations.


    What's the fw and driver version of your clients?

    For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.

    What's the config of your APs? What's the IOS version on you APs?
    The 350 series does not work with cipher set to TKIP+WEP (migration mode)

    Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
    For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.

    --
    Uli
     
    Uli Link, Jul 1, 2005
    #2
    1. Advertising

  3. I updated FW on clients and APs both to latest versiones a couple of
    weeks ago but problem persists.



    Cipher is pure TKIP, not migration mode.



    I will try WDS to see if using this the roaming gets smoother. I will
    tell you.



    Thanks a lot for your interest


    Uli Link wrote:
    > Fernando Enriquez schrieb:
    >
    >> Hi everyone:
    >>
    >> We've set up a complex installation for one client based on 40 Cisco
    >> 1200 & 1100 APs working as parent-repeater (we have some branches with
    >> parent-repeater-repeater). We've deployed LEAP on APs and clients
    >> both. Everything is working fine until any client changes from one AP
    >> to another. When it starts to transmit traffic it gets blocked because
    >> of MIC encryption error. The situation remains for a few minutes, when
    >> suddenly encryption works again.

    >
    >
    > It's a feature to block a station after a number of MIC failures.
    > But this should not happen with allowed, legitimate stations.
    >
    >
    > What's the fw and driver version of your clients?
    >
    > For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.
    >
    > What's the config of your APs? What's the IOS version on you APs?
    > The 350 series does not work with cipher set to TKIP+WEP (migration mode)
    >
    > Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
    > For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.
    >
     
    Fernando Enriquez, Jul 4, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Blake

    Set TKIP through a GPO?

    Al Blake, Oct 11, 2004, in forum: Wireless Networking
    Replies:
    4
    Views:
    3,600
    Joshua Teague [MSFT]
    Oct 21, 2004
  2. Rich D

    Can't share files with TKIP

    Rich D, Jun 28, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    478
    Rich D
    Jun 28, 2005
  3. Timo

    TKIP MIC failures

    Timo, Mar 8, 2005, in forum: Cisco
    Replies:
    1
    Views:
    7,678
    Uli Link
    Mar 8, 2005
  4. torey99
    Replies:
    1
    Views:
    627
    fruitbat
    Mar 6, 2009
  5. b_rizza
    Replies:
    0
    Views:
    4,708
    b_rizza
    May 21, 2010
Loading...

Share This Page