TKIP Michael MIC problems


    Sponsored Links


  • 1. time-range and PIX
    Hy to everbody, i saw already that there is nothing as time-range under my pix, so i tought that i can do next. For local IP adresses that must not go outside on web uot of work time; make a apart global for them and then on router make on eth0 ins an ACL that use time range. Anybody did it? Thanks
  • 2. DECnet over GRE tunnel with serial interface
    All, I need help. We have some terminals with one server which run DECnet. They all reside in the same area (area 1). They work fine when run in the local segment (by using hub). I want to exercise one of the terminals connect to the server over the WAN (by using GRE tunnel) with two cisco routers with back-to-back serial interafce. I have configured routers with DECnet routing (phase IV) and assign DECnet cost to tunnel and fast ethernet interfaces. The problem is, when I do show decnet routing, I see all the the detailed routing including server and the remaining terminals at the other side, but when I can't see them by using show decnet neighbor. I noticed that the SNAP address assigned for tunnel is 0000.0000.0000 which I susspect is the issue when talking to DECnet address format. Does anyone have suggestion how can I make it working by using GRE tunnel over back-to-back serial (to simulate a leased line)? regards Paris
  • 3. A lack of ethernet modules from Cisco
    Back in the old days of the 2600 and 3600 routers, one could buy 1, 2 or 4 port ethernet modules with true routing capability. The latest routers from Cisco dont seem to support this kind of function. I have an 1841 which comes with two 10/100 ports on board. I want to add two more ethernet ports to make it a full 4 port router. But i cant find a suitable module. Cisco do a 4 port etherswitch HWIC. But this isnt layer 3 capable. Any suggestions?
  • 4. Messed up program on Cisco 2509
    I am guessing I made a mistake. I put a new configuration into a 2509 and when I was done, I had lost access to the enable and admin access. For some reason, the user login still works but with a different login id than I had programmed (the old one). The configuration looks like it is there (The menu is for sure) but I can't access the priv access accounts anymore. So... I need to blow away the config and start over and this time program the passwords correctly... How do I do this? BTW, I did the account access like: clock timezone MST -7 enable password 7 NEWPASS username admin privilege 15 password 7 NEWPASS username admin autocommand menu uc username wan password 7 NEWPASS ip subnet-zero ... With the NEWPASS being the passwords for each that I wanted to use. Need to check on how to fix that.
  • 5. PIX 501 Basic Configuration
    I am attempting to install a PIX 501 (50 licenses) on a small office network (Windows Server 2003 and 20 workstations). We have high speed Internet access. This is the first firewall I've tried to hook up and configure and I'm lost. Here's the setup-- Modem to PIX Port 0 via Orange Cable PIX Port 1 to NETGEAR FS750T Switch Port 49 via Yellow Cable Switch to Server and Workstations My network is The firewall is set to The server handles DHCP requests. The PIX is seeing the internal network but not the external (Internet), which it shows as "down." Here are the settings (provided by the ISP) from the Netopia R910 router that I am replacing with the PIX 501-- Computer ID: WMPTYZK2 IP Address: Dynamically assigned by ISP Domain Name: Primary DNS: Secondary DNS: I went through startup.html for the PIX 501 but wasn't sure where to plug these in (or even if there was a place for all of them). All help will be greatly appreciated. Thanks in advance.

TKIP Michael MIC problems

Postby Fernando Enriquez » Sat, 02 Jul 2005 06:27:51 GMT

Hi everyone:

We've set up a complex installation for one client based on 40 Cisco 
1200 & 1100 APs working as parent-repeater (we have some branches with 
parent-repeater-repeater). We've deployed LEAP on APs and clients both. 
Everything is working fine until any client changes from one AP to 
another. When it starts to transmit traffic it gets blocked because of 
MIC encryption error. The situation remains for a few minutes, when 
suddenly encryption works again.

To minimize impact we have enables key-rotation every 20 seconds but the 
problem remains and users aro not able to work properly.

To validate users we have installed freeradius with leap support. Radius 
log shows that authentication is working fine (no errors)

This is a log excerpt of what happens when client 0040.96a7.c594 
desassociates from AP and associates to AP

Re: TKIP Michael MIC problems

Postby Uli Link » Sat, 02 Jul 2005 17:50:48 GMT

Fernando Enriquez schrieb:

It's a feature to block a station after a number of MIC failures.
But this should not happen with allowed, legitimate stations.

What's the fw and driver version of your clients?

For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.

What's the config of your APs? What's the IOS version on you APs?
The 350 series does not work with cipher set to TKIP+WEP (migration mode)

Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.


Re: TKIP Michael MIC problems

Postby Fernando Enriquez » Wed, 06 Jul 2005 00:15:49 GMT

I updated FW on clients and APs both to latest versiones a couple of
weeks ago but problem persists.

Cipher is pure TKIP, not migration mode.

I will try WDS to see if using this the roaming gets smoother. I will
tell you.

Thanks a lot for your interest

Similar Threads:

1.TKIP MIC failures


Ive got a few AP1200's that Ive just deployed. Most only have 1 or 2
associations right now as Im ramping it up for production.

Ive got 1 client an IBM laptop with an Intel 2200BG card that keeps
causing these errors on the AP.

%DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure
report from the station 000e.3568.a238 on the packet (TSC=0x0)
encrypted and protected by pairwise key.

I see these 1 every few minutes, sometimes it will happen more often
and then the radio interface is put on hold and all my WPA clients are
disassociated. All WPA clients diassociated is bad.

%DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were
detected within 0 seconds on Dot11Radio0 interface. The interface will
be put on MIC failure hold state for next 60 seconds.

So I read some about these messages and they point to someone attackign
my AP but these are being generated by MAC Addrs that are friendly.

Heres the rundown on my setup,  Cisco AP1200's IOS 12.3(2)JA configed
for WPA \TKIP  with a MS IAS RADIUS server backend.

Anyone ever see these errors before ?  Thanks


2.WPA/TKIP with AP1200

Hi gurus

I'm trying to configure an Windows XP SP1 supplicant with Patch Q815485 
with my laptop HP Nx7010. Initially I work with EAP-TLS + WPA TKIP & 
AP1200, it seems to work fine but after a few seconds the connection is 
broken and supplicant doesn't reconnect with the AP.
HAve you found this issue ?

Can you help me?



3.Cisco ACS 3.3 and Windows 2003 IAS using EAP-TLS and TKIP

I was wondering has anyone every setup using Cisco ACS 3.3 (Radius)
with Windows 2003 IAS to authenicate with PKI cards for wireless and if
so what sets should I follow.  TIA

4.TKIP vs Broadcast Key Rotation

In some of the Cisco documentation, they state that broadcast key rotation
(BKR) "is an excellent alternative to TKIP if your wireless LAN supports
wireless client devices that are not Cisco devices or that cannot be
upgraded to the latest firmware for Cisco client devices."

I don't really understand how this is true. If BKR is only rotating the keys
for broadcast frames, then the user's session (unicast) key isn't touched
by this mechanism, right? So, the classic WEP cracking vulnerabilities
still apply, right?

Must be something I'm missing here... who can enlighten me?


5.Security of Cisco TKIP implementation on older products

I am still using Cisco AIR-352 with 12.3(8) IOS as access point, to provide 
connectivity on my wlan ad 802.11b speeds, with WPA-PSK TKIP security.

I have on a site, two AIR-BR352 point to point links at about 4km.
The bridges BR350 uses Wep128 security, and I know that it is unsecure.
On the config pages, I have enable MIC and TKIP settings.

So in the end I have these options enabled:
WEP 128

This is the extract from cisco's documentations about the two options.

# Message Integrity Check (MIC) -- MIC is an additional WEP security feature 
that prevents attacks on encrypted packets called bit-flip attacks. The MIC, 
implemented on both the access point and all associated client devices, adds 
a few bytes to each packet to make the packets tamperproof.

# Temporal Key Integrity Protocol (TKIP) -- TKIP, also known as WEP key 
hashing, is an additional WEP security feature that defends against an 
attack on WEP in which the intruder uses an unencrypted segment called the 
initialization vector (IV) in encrypted packets to calculate the WEP key.

In the end, these bridges are in WEP128, but are they vulnerable to the 
common wep flaws (IV vector, and vulnerable to airsnort's scans)  ?

To be secure, I use a GRE+IPSEC (at the moment using DES encryption, later I 
will use AES128) tunnel between the two sites connected via the wifi 
bridge, to be more secure.


6. Cisco WLC - WPA MIC Errors.....all AP's same syptoms

7. IP phone i2004 audio mic level is low

8. 2 line headset with common mic?

Return to cisco


Who is online

Users browsing this forum: No registered users and 29 guest