Mike- You're saying that LWAPP code fixed (and by extension, caused) this situation, I think. I can't see where, other than as best practice, updating drivers is the only answer... Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ________________________________
From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 9:28 AM To: [email protected] Subject: Re: [WIRELESS-LAN] WPA "Countermeasures" - radios shutting down in LWAPP for legitimate users Hi Lee. I too am having 100 of these errors a day. We've also been getting large number of complaints that students are getting dropped off. (Up and down as the students term it) It started with the 4.0 code for us. Reports from the Cisco Netpro forums that 4.1.185.0 is the code that fixed this. Nothing was mentioned about turning off the "radio off" period. This is from customers, not Cisco itself. The only concern I have with the 4.1 code right now is I still have 40 ap's that won't support it. (Pre Cisco Acquisition AP's, they don't have enough RAM to load the image) I hope to remedy this in the next few days, and get onto 4.1 in a real hurry. From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 9:23 AM To: [email protected] Subject: [WIRELESS-LAN] WPA "Countermeasures" - radios shutting down in LWAPP for legitimate users We are seeing huge quantities of this: The AP '00:0f:f7:a7:a0:c0' received a WPA MIC error on protocol '0' from Station '00:13:02:82:1c:8d'. Counter measures have been activated and traffic has been suspended for 60 seconds. Which means that radios are being disabled for 60 seconds- and all networks on those radios- each time this countermeasure is invoked because of something viewed as a potential attack happens for each user listed, at the front end of the 802.1x authentication/encryption key setup (we're using PEAP w/ MS-CHAP v/TKIP/WPA1). What is very confusing- each user listed ends up on the network, just fine. But in the meantime, we have radios being shut down all over the place. This countermeasure is defined by the standard, so it's hard to bash the hardware in this case. Clients involved are using Mac, XP, and Vista- hundreds daily, and not consistent (sometimes a client has the issue, sometimes not). Our controllers are 4.0.207. Cisco is saying a few things in response: this is likely a client driver issue and that all drivers need to be kept up to date (easier said than done on our campus). Also- in version 4.1 of the controllers, the 60-second "radio off" period can be turned off. Finally, WPA2 negates this. My questions- is anyone else seeing this, and have you found any causes for good clients to show up as attackers and cause the radios to turn off? And, has anyone found any real concerns with 4.1 code on the controllers? Thanks very much- Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
