TKIP Michael MIC problems

cisco

    Sponsored Links

    Next

  • 1. Simple HSRP but not puzzled answer
    Hi, We have such configuration (focus the HSRP config. please ) between two routers: R1: interface FastEthernet0/0.334 encapsulation dot1Q 334 ip address 10.10.10.2 255.255.255.224 ip access-group Branch in ip helper-address 10.10.11.6 ip helper-address 10.10.11.8 no ip redirects no ip proxy-arp ip ospf authentication message-digest ip ospf message-digest-key 1 md5 <removed> ip ospf cost 10 ip ospf hello-interval 2 ip ospf retransmit-interval 1 standby 34 ip 10.10.10.3 standby 34 timers 2 6 standby 34 priority 105 standby 34 preempt standby 34 authentication as2 ! R2: interface FastEthernet0/0.334 encapsulation dot1Q 334 ip address 10.10.10.2 255.255.255.224 ip access-group Branch in ip helper-address 10.10.11.6 ip helper-address 10.10.11.8 no ip redirects no ip proxy-arp ip ospf authentication message-digest ip ospf message-digest-key 1 md5 <removed> ip ospf cost 10 ip ospf hello-interval 2 ip ospf retransmit-interval 1 standby 34 ip 10.10.10.3 standby 34 timers 2 6 standby 34 preempt standby 34 authentication as2 ! 1. "show ip arp" in routers, a client workstation 10.10.10.10 is shown in both routers 2. "show adj fa0/0.334" in routers, workstations traffic in routers' counters Any comments ? R1 is the HSRP active for this connection ? R2 should has no traffic ?
  • 2. Simple HSRP but puzzled answer ?
    Hi, We have such configuration (focus on HSRP config. please ) between two routers: R1: interface FastEthernet0/0.334 encapsulation dot1Q 334 ip address 10.10.10.1 255.255.255.224 ip access-group Branch in ip helper-address 10.10.11.6 ip helper-address 10.10.11.8 no ip redirects no ip proxy-arp ip ospf authentication message-digest ip ospf message-digest-key 1 md5 <removed> ip ospf cost 10 ip ospf hello-interval 2 ip ospf retransmit-interval 1 standby 34 ip 10.10.10.3 standby 34 timers 2 6 standby 34 priority 105 standby 34 preempt standby 34 authentication as2 ! R2: interface FastEthernet0/0.334 encapsulation dot1Q 334 ip address 10.10.10.2 255.255.255.224 ip access-group Branch in ip helper-address 10.10.11.6 ip helper-address 10.10.11.8 no ip redirects no ip proxy-arp ip ospf authentication message-digest ip ospf message-digest-key 1 md5 <removed> ip ospf cost 10 ip ospf hello-interval 2 ip ospf retransmit-interval 1 standby 34 ip 10.10.10.3 standby 34 timers 2 6 standby 34 preempt standby 34 authentication as2 ! 1. "show ip arp" in routers, a client workstation 10.10.10.10 is shown in both routers 2. "show adj fa0/0.334" in routers, workstations traffic in both of routers' counters Any comments ? R1 is the HSRP active for this connection ? R2 should has no traffic ?
  • 3. VDSL
    Hi there ! I'm a little bit confued concerning the different DSL WICs. There seems to be a "multimode VDSL HWIC", the jack is labeled "VDSLoPOTS". Does this imply it's really just working on POTS lines? I'm looking for a card that's working with a "VDSL over ISDN" line from Deutsche Telekom and some hints how to configure this combination. TIA fw
  • 4. Switch causes constant activity
    Hi, I don't know much about network harware and I've got a question regarding switches. Setup is: router -> switch1 -> switch2 Switches are Cisco SD2005 Small Business. There is nothing to configure and all works well. Switch2 was connected recently. Since then there is constant activity. Packet sniffers on machines connected to switch2 show a unremitting stream of: ? -> (broadcast) ETHER Type=8874 (Unknown), size = 60 bytes 0: ffff ffff ffff 0180 c200 0001 8874 e23b .............t.; 16: ef2d 93c1 eaa2 b5df f000 0000 0000 0000 .-.............. 32: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 48: 0000 0000 0000 0000 0000 0000 ............ Connected to switch1 they don't. I wonder what's going on there. Regards, Michael
  • 5. routing between NHRP tunnels?
    On a 3725 running C3725-ADVSECURITYK9-M, Version 12.4(5a), we have two different DMVPN tunnels configured, each on a different external IP address. They use NHRP and IPSEC. CEF is enabled on the router. On one tunnel, several routers are connected and eigrp is used as a routing protocol. All those routers can communicate to eachother via the central router. One of the leaf nodes connects to the second DMVPN tunnel and a static routing is used there. It can communicate with the central site without problems, but it cannot talk to the routers connected to the other DMVPN tunnel. It looks like the traffic cannot hop from one DMVPN tunnel end to the other inside the central site router, but it routes OK to the other interfaces in that router. There are also some "standard" IPSEC tunnels (not DMVPN) defined in that router, and traffic routes there too. It does not appear there are any access list rules that are matching (looking at counters for deny rules). What could be going on here? A bug, or something that has to be configured to allow this routing? With older versions of IOS I saw issues like this (like not being able to route from one "standard" IPSEC tunnel into another) when CEF was enabled, and disabling CEF fixed that, but those seemed to be cured. I don't want to disable CEF right now.

TKIP Michael MIC problems

Postby Fernando Enriquez » Sat, 02 Jul 2005 06:27:51 GMT

Hi everyone:

We've set up a complex installation for one client based on 40 Cisco 
1200 & 1100 APs working as parent-repeater (we have some branches with 
parent-repeater-repeater). We've deployed LEAP on APs and clients both. 
Everything is working fine until any client changes from one AP to 
another. When it starts to transmit traffic it gets blocked because of 
MIC encryption error. The situation remains for a few minutes, when 
suddenly encryption works again.

To minimize impact we have enables key-rotation every 20 seconds but the 
problem remains and users aro not able to work properly.

To validate users we have installed freeradius with leap support. Radius 
log shows that authentication is working fine (no errors)

This is a log excerpt of what happens when client 0040.96a7.c594 
desassociates from AP 192.168.4.207 and associates to AP 192.168.4.200




Re: TKIP Michael MIC problems

Postby Uli Link » Sat, 02 Jul 2005 17:50:48 GMT

Fernando Enriquez schrieb:

It's a feature to block a station after a number of MIC failures.
But this should not happen with allowed, legitimate stations.


What's the fw and driver version of your clients?

For the 350 series the very first fw supporting WPA with TKIP was 5.30.17.

What's the config of your APs? What's the IOS version on you APs?
The 350 series does not work with cipher set to TKIP+WEP (migration mode)

Tip: set up one low traffic AP as WDS, this will allow fast secure roaming.
For 350 clients I prefer CCKM over WPA, you can allow both on a SSID.

-- 
Uli


Re: TKIP Michael MIC problems

Postby Fernando Enriquez » Wed, 06 Jul 2005 00:15:49 GMT

I updated FW on clients and APs both to latest versiones a couple of
weeks ago but problem persists.



Cipher is pure TKIP, not migration mode.



I will try WDS to see if using this the roaming gets smoother. I will
tell you.



Thanks a lot for your interest





Similar Threads:

1.TKIP MIC failures

Hey

Ive got a few AP1200's that Ive just deployed. Most only have 1 or 2
associations right now as Im ramping it up for production.

Ive got 1 client an IBM laptop with an Intel 2200BG card that keeps
causing these errors on the AP.

%DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure
report from the station 000e.3568.a238 on the packet (TSC=0x0)
encrypted and protected by pairwise key.

I see these 1 every few minutes, sometimes it will happen more often
and then the radio interface is put on hold and all my WPA clients are
disassociated. All WPA clients diassociated is bad.

%DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were
detected within 0 seconds on Dot11Radio0 interface. The interface will
be put on MIC failure hold state for next 60 seconds.


So I read some about these messages and they point to someone attackign
my AP but these are being generated by MAC Addrs that are friendly.

Heres the rundown on my setup,  Cisco AP1200's IOS 12.3(2)JA configed
for WPA \TKIP  with a MS IAS RADIUS server backend.

Anyone ever see these errors before ?  Thanks

Timo

2.WPA/TKIP with AP1200

Hi gurus

I'm trying to configure an Windows XP SP1 supplicant with Patch Q815485 
with my laptop HP Nx7010. Initially I work with EAP-TLS + WPA TKIP & 
AP1200, it seems to work fine but after a few seconds the connection is 
broken and supplicant doesn't reconnect with the AP.
HAve you found this issue ?

Can you help me?

Thanks

Manel

3.Cisco ACS 3.3 and Windows 2003 IAS using EAP-TLS and TKIP

I was wondering has anyone every setup using Cisco ACS 3.3 (Radius)
with Windows 2003 IAS to authenicate with PKI cards for wireless and if
so what sets should I follow.  TIA

4.TKIP vs Broadcast Key Rotation

In some of the Cisco documentation, they state that broadcast key rotation
(BKR) "is an excellent alternative to TKIP if your wireless LAN supports
wireless client devices that are not Cisco devices or that cannot be
upgraded to the latest firmware for Cisco client devices."

I don't really understand how this is true. If BKR is only rotating the keys
for broadcast frames, then the user's session (unicast) key isn't touched
by this mechanism, right? So, the classic WEP cracking vulnerabilities
still apply, right?

Must be something I'm missing here... who can enlighten me?

Thanks,
Mike

5.Security of Cisco TKIP implementation on older products

Hello
I am still using Cisco AIR-352 with 12.3(8) IOS as access point, to provide 
connectivity on my wlan ad 802.11b speeds, with WPA-PSK TKIP security.

I have on a site, two AIR-BR352 point to point links at about 4km.
The bridges BR350 uses Wep128 security, and I know that it is unsecure.
On the config pages, I have enable MIC and TKIP settings.

So in the end I have these options enabled:
WEP 128
CISCO MIC
TKIP

This is the extract from cisco's documentations about the two options.


# Message Integrity Check (MIC) -- MIC is an additional WEP security feature 
that prevents attacks on encrypted packets called bit-flip attacks. The MIC, 
implemented on both the access point and all associated client devices, adds 
a few bytes to each packet to make the packets tamperproof.

# Temporal Key Integrity Protocol (TKIP) -- TKIP, also known as WEP key 
hashing, is an additional WEP security feature that defends against an 
attack on WEP in which the intruder uses an unencrypted segment called the 
initialization vector (IV) in encrypted packets to calculate the WEP key.

In the end, these bridges are in WEP128, but are they vulnerable to the 
common wep flaws (IV vector, and vulnerable to airsnort's scans)  ?

To be secure, I use a GRE+IPSEC (at the moment using DES encryption, later I 
will use AES128) tunnel between the two sites connected via the wifi 
bridge, to be more secure.



 

6. Cisco WLC - WPA MIC Errors.....all AP's same syptoms

7. IP phone i2004 audio mic level is low

8. 2 line headset with common mic?



Return to cisco

 

Who is online

Users browsing this forum: No registered users and 59 guest