Cisco WLC (WPA-TKIP) & iPad's - WPA MIC Error

Cisco WLC [WPA][Auth(802.1X)] & iPad's - WPA MIC Error

Just throwing this out there to see if anyone else has experienced the same issue. I’m running a Cisco WLC 4402/ACS/ (WPA-TKIP)+PEAP, etc… Over the last few days, clients have been complaining about connectivity issues to the WLAN’s. We have centralized WLC’s @ our HQ location w/ all LAP’s terminating back to the POP. Users began complaining about sporadic Wireless connectivity, primarily @ HQ. Wireless users would have adequate signal, then drop & lose connectivity altogether. Occasionally they would roam to another LAP & connectivity would reestablish though in most cases, they were dead in the water until they bounced their interface or the LAP itself was rebooted.

Looking at the logs I started seeing numerous errors similar to the following:

29 Thu May 20 11:03:29 2010 WPA MIC Error counter measure activated on Radio with MAC 00:19:07:XX:XX:XX and Slot ID 1. Station MAC Address is d8:30:62:XX:XX:XX and WLAN ID is 3.

I sifted through the logs for this error which was primarily associated w/ hardware address: d8:30:62:XX:XX:XX which the coffer mac-address lookup recognized as Apple, Inc. I collected a list of Mac users from IT Support & spammed the site attempting to track the source user. (Mac-Address was not listed as a connected client via the WLC client log) Soon enough, there was a match & the match happened to be a recently acquired iPad. We started seeing other AP’s drop with matches once again to Apple Inc. traced again to... You Guessed it, other iPad’s.

To temporarily remedy the situation, I disabled Message Integrity Check’s on each of the WLAN’s which has stabilized our Wireless Environment, less (MIC) which would be one less check for legitimate MITM attacks.

Command used via CLI to the WLC:

config wlan security tkip hold-down <0-60 seconds> <wlan id>

I set for 0 seconds on each WLAN (requires disabling each WLAN individually via the WebUI or else the command execution will fail), followed by a “save config”. Don’t ask me if it actually writes this setting to the config since It’s nowhere to be found in the WebUI. I guess I’ll find out should we bounce this thing in the future. One thing to keep in mind, You CANNOT turn the MIC Check’s off in WLC’s versions older than version 4.1. We haven’t updated ours in quite awhile though we’re currently running 5.2.157.0 which worked out perfectly.

Could it be a faulty wireless card on the iPad? Maybe… The fact that it affected multiple iPad’s causing failures on every AP on every floor would either point to a bad batch OR, more than likely a behavior/driver issue of the iPad itself. Great product in general though also doubles up as a sneaker-net DDoS for Cisco WLANs. Hopefully a fix will be found soon…

Seacrest Out…