Agreeing with John- set the timer to zero and don't look back. The headache of the countermeasures are not worth trying to keep them in play.
Lee Badman ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] On Behalf Of Jonn Martell [[email protected]] Sent: Friday, October 22, 2010 5:16 PM To: [email protected] Subject: Re: [WIRELESS-LAN] WCS Error Hi Chris, MIC (message integrity check) was really a "patch" for TKIP to prevent replay attacks. I happened to be in the IEEE TGI working group when this feature was heavily discussed. Many felt that the countermeasures were more harmful than beneficial. I still remember the notion passing after the argument was made that "TKIP will be short lived and this will be a non-issue". This is another reason to move from TKIP (WPA) to AES (WPA2). My understanding is that the countermeasures impact any new connection for 60 seconds. So effectively one trigger creates a DOS for all new users! I would consider reducing or turning off the countermeasure. On WLC (4.1 or greater) config wlan security tkip hold-down <X> <wlan id>. Where X is the number of seconds to deny access to your WLAN on a MIC trigger. Use 0 to disable MIC. Jonn Martell, Director of Technical Operations, FDU Vancouver On Fri, Oct 22, 2010 at 1:26 PM, Chris Wandell <[email protected]> wrote: > Hello All, > > We have been seeing a lot of MIC errors on WCS this semester, "The AP > 'xxxxxx' received a WPA MIC error on protocol '0' from Station > 'xx.xx.xx.xx.xx.xx'. Counter measures have been activated and traffic has > been suspended for 60 seconds". > What I have read is that this may be a problem with the mac addresses for > the IPAD, as well as out of date device drivers for other wireless card > vendors. I have also found you can turn the reporting of these errors off, > but am a little wary of that. > Has anyone run into this and what would be the downside to disabling this? > The upside I would think would be that the ap wouldn't be suspending traffic > for 60 seconds at a clip when this error occurs. > > Thanks for any input > > Chris Wandell > Binghamton University > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1144 / Virus Database: 422/3212 - Release Date: 10/22/10 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
