I would check the WLC RADIUS packets Queue after doing this.
Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA
Email yahya.ja...@kaust.edu.sa
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joachim Tingvold
Sent: Thursday, April 5, 2018 17:09
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] CCKM timestamp tolerance
Hi,
We’ve encountered some clients on our wireless network that seems to handle
roaming worse than other clients. Our WLC (Cisco 8540) responds by excluding
the client after some failed attempts (which, of course, works as it should).
The culprit seems to be that the clients uses old CCKM-data when
re-associating/roaming;
“Received Timestamp deviation > 1 sec in REASSOC REQ IE from mobile”
I know this can be tuned (“config wlan security wpa akm cckm
timestamp-tolerance”), but that also increases the chance of replay attacks
(the WLC even warns about this). However, I’m not sure if this is a “real”
security issue in practice? (e.g. raising the tolerance from 1000ms to 5000ms).
Since these are the first clients we’ve observed with this issue, I’m more
inclined to ask the vendor to fix the issue on their end, but I know that will
be a “fight” (that I’m not sure if I want to have). The “easiest” solution is
of course just to increase the tolerance (if that helps, that is).
What is the BCP on this matter?
--
Joachim
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/discuss.
This message and its contents including attachments are intended solely for the
original recipient. If you are not the intended recipient or have received this
message in error, please notify me immediately and delete this message from
your computer system. Any unauthorized use or distribution is prohibited.
Please consider the environment before printing this email.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/discuss.