We have had several tickets opened for this issue. We use mixed AP models 3702/3602/3502/1142/1131. We allow both WPA/TKIP and WPA2/AES under WLAN. I don't have details about which APs did clients connect to when the issue happened. I have asked clients to provide details but no replies. Has anyone confirmed this was caused by the WPA/TKIP setting? I searched one client MAC address in Prime Infrastructure and it appears the client was connected as WPA2/AES.
Our syslog shows following error for this client: *Dot1x_NW_MsgTask_2: Mar 24 15:00:15.733: #DOT1X-3-WPA_KEY_MIC_ERR: 1x_eapkey.c:703 TKIP MIC errors reported in EAPOL key msg from client 28:cf:da:ee:51:52 I opened a case with TAC. TAC required the "debug client" output but I have not been able to collect that yet. --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 [email protected] www.uoguelph.ca/ccs ----- Original Message ----- From: "Matthew P Hinson" <[email protected]> To: [email protected] Sent: Monday, March 30, 2015 12:58:27 PM Subject: Re: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error? Indeed. Our environment sees anywhere from 6-10k unique devices every day. Less than one tenth of one percent of those use TKIP. (6-10 devices total). All of the other devices choose the most robust cipher suite available (CCMP-AES). And I bet we could disable TKIP entirely without any trouble. Xbox 360's got WPA2-Personal support many years ago via firmware update, but there was a time that they didn't support it well. http://forums.xbox.com/xbox_forums/xbox_support/f/9/p/298768/1566370.aspx Also remember that TKIP-RC4 devices are forbidden by the standard from using MCS rates. Sent from a grassfire using smoke signals From: Steve Bohrer Sent: 3/30/2015 10:13 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error? We are very small, so my experiences don’t necessarily scale, but we disabled TKIP two years ago with no complaints. Are lots of people still running TKIP? Are there particular classes of equipment that require it? Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 On Mar 27, 2015, at 12:09 PM, Joe Roth < [email protected] > wrote: We are in the process of upgrading some buildings to 2702 APs, and after doing our first building clients with Apple hardware are seeing some odd behavior. They are receiving the attached error. It seems to be related to TKIP. We plan to remove TKIP from the WPA2 SSID this summer anyway and go with AES natively, but in the mean time we are trying to determine a fix. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
