Hi Chris, We asked this same question a while back and have decided to turn countermeasures from 60 to zero on our controllers that serve our Resnet areas because that is where the majority of the alarms originated.
Cisco will not officially recommend that you configure a WLAN this way but lets you know that you can ;-) There should be no risk in terms of functionality... but, countermeasures are there to address architectural problems with TKIP/MIC, so "disabling" countermeasures leaves your network vulnerable but at very little risk IMO. My understanding is that default countermeasures suspend all traffic, on all radios, on all wlans when an attack is heard. Hope this helps, Ryan Sullivan University of California, San Diego -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jonn Martell Sent: Friday, October 22, 2010 2:17 PM To: [email protected] Subject: Re: [WIRELESS-LAN] WCS Error Hi Chris, MIC (message integrity check) was really a "patch" for TKIP to prevent replay attacks. I happened to be in the IEEE TGI working group when this feature was heavily discussed. Many felt that the countermeasures were more harmful than beneficial. I still remember the notion passing after the argument was made that "TKIP will be short lived and this will be a non-issue". This is another reason to move from TKIP (WPA) to AES (WPA2). My understanding is that the countermeasures impact any new connection for 60 seconds. So effectively one trigger creates a DOS for all new users! I would consider reducing or turning off the countermeasure. On WLC (4.1 or greater) config wlan security tkip hold-down <X> <wlan id>. Where X is the number of seconds to deny access to your WLAN on a MIC trigger. Use 0 to disable MIC. Jonn Martell, Director of Technical Operations, FDU Vancouver On Fri, Oct 22, 2010 at 1:26 PM, Chris Wandell <[email protected]> wrote: > Hello All, > > We have been seeing a lot of MIC errors on WCS this semester, "The AP > 'xxxxxx' received a WPA MIC error on protocol '0' from Station > 'xx.xx.xx.xx.xx.xx'. Counter measures have been activated and traffic has > been suspended for 60 seconds". > What I have read is that this may be a problem with the mac addresses for > the IPAD, as well as out of date device drivers for other wireless card > vendors. I have also found you can turn the reporting of these errors off, > but am a little wary of that. > Has anyone run into this and what would be the downside to disabling this? > The upside I would think would be that the ap wouldn't be suspending traffic > for 60 seconds at a clip when this error occurs. > > Thanks for any input > > Chris Wandell > Binghamton University > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
