Hey, I'm finding these outputs conflicting. To my knowledge, when you are performing AES-CCMP, there is no concept of TSC's. PN's are used. I suppose you are encrypting the radio's using TKIP ? Would it be possible to show the Dotradio config ? What SW are you running on the bridges ?
Regards, Sebastiaan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kristján Ólafur Eðvarðsson Sent: 09 January 2011 23:57 To: [email protected] Subject: [CCIE Wireless] WGB with EAP-TLS and CCKM (Stalder Dominic) Interesting stuff Dominic. I have always slightly worried that they want to to do EAP-TLS client on a WGB. Do you have any docmuentation on of you get the Certfificate on the WGB ? regards. Kristjan Today's Topics: 1. WGB with EAP-TLS and CCKM (Stalder Dominic) ---------------------------------------------------------------------- Message: 1 Date: Wed, 5 Jan 2011 17:41:26 +0000 From: Stalder Dominic <[email protected]> To: "[email protected]" <[email protected]> Subject: [CCIE Wireless] WGB with EAP-TLS and CCKM Message-ID: <c94a6bd6.29f6%[email protected]> Content-Type: text/plain; charset="us-ascii" Hi there I was just playing around and tried to configure a WGB with EAP-TLS and CCKM. If I use the following configuration without CCKM, all works great: dot11 ssid wgb-eap-tls authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa If I change it to CCKM, after the reauth timeout it re-connects the WGB and shows the message at the bottom: wlccp ap username d password 7 050F020B25 wlccp authentication-server infrastructure eap_methods wlccp authentication-server client any eap_methods ssid wgb-eap-tls wlccp wds priority 255 interface BVI1 dot11 ssid wgb-eap-tls authentication open eap eap_methods authentication network-eap eap_methods authentication key-management cckm Jan 5 17:33:10.971: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP root 003a.9927.57b0 [EAP-TLS CCKM] Jan 5 17:33:11.008: %DOT11-4-CCMP_REPLAY: AES-CCMP TSC replay was detected on a packet (TSC 0x2) received from 003a.9927.57b0. Jan 5 17:33:11.108: %DOT11-4-CCMP_REPLAY: AES-CCMP TSC replay was detected on a packet (TSC 0x2) received from 003a.9927.57b0. @Cisco it says: AES-CCMP TSC replay was indicated on a frame. A replay of the AES-CCMP TSC in a received packet almost indicates an active attack. I do not attack my own network ;-) Does anybody know what the problem could be? Regards Dominic -------------- next part -------------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
