RE: [WIRELESS-LAN] CCKM timestamp tolerance

[Yahya M. Jaber]

I would check the WLC RADIUS packets Queue after doing this.

Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA

Email yahya.ja...@kaust.edu.sa
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joachim Tingvold
Sent: Thursday, April 5, 2018 17:09
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] CCKM timestamp tolerance

Hi,

We’ve encountered some clients on our wireless network that seems to handle 
roaming worse than other clients. Our WLC (Cisco 8540) responds by excluding 
the client after some failed attempts (which, of course, works as it should).

The culprit seems to be that the clients uses old CCKM-data when 
re-associating/roaming;

   “Received Timestamp deviation > 1 sec in REASSOC REQ IE from mobile”

I know this can be tuned (“config wlan security wpa akm cckm 
timestamp-tolerance”), but that also increases the chance of replay attacks 
(the WLC even warns about this). However, I’m not sure if this is a “real” 
security issue in practice? (e.g. raising the tolerance from 1000ms to 5000ms).

Since these are the first clients we’ve observed with this issue, I’m more 
inclined to ask the vendor to fix the issue on their end, but I know that will 
be a “fight” (that I’m not sure if I want to have). The “easiest” solution is 
of course just to increase the tolerance (if that helps, that is).

What is the BCP on this matter?

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

CCKM timestamp tolerance

[Joachim Tingvold]

Hi,

We’ve encountered some clients on our wireless network that seems to 
handle roaming worse than other clients. Our WLC (Cisco 8540) responds 
by excluding the client after some failed attempts (which, of course, 
works as it should).


The culprit seems to be that the clients uses old CCKM-data when 
re-associating/roaming;


  “Received Timestamp deviation > 1 sec in REASSOC REQ IE from 
mobile”


I know this can be tuned (“config wlan security wpa akm cckm 
timestamp-tolerance”), but that also increases the chance of replay 
attacks (the WLC even warns about this). However, I’m not sure if this 
is a “real” security issue in practice? (e.g. raising the tolerance 
from 1000ms to 5000ms).


Since these are the first clients we’ve observed with this issue, 
I’m more inclined to ask the vendor to fix the issue on their end, but 
I know that will be a “fight” (that I’m not sure if I want to 
have). The “easiest” solution is of course just to increase the 
tolerance (if that helps, that is).


What is the BCP on this matter?

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.