Has anyone implemented this workaround and heard any negative feedback regarding wireless quality? It seems changing the retries down to 0 would result in more dropped sessions and the appearance of a flakier network and possibly triggering more client exclusions?
Chris Toth Senior Network Technician Bowling Green State University (419) 372-8462 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Scharloo, Gertjan Sent: Friday, October 27, 2017 6:06 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 SMALL Update about Cisco Client workaround: * Troubleshooting TechNotes<https://www.cisco.com/c/en/us/tech/wireless-2f-mobility/wireless-lan-wlan/tsd-technology-support-troubleshooting-technotes-list.html> Wireless KRACK attack client side workaround and detection https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212390-wireless-krack-attack-client-side-workar.html Regards, Gertjan Scharloo ICT Consultant _____ Universiteit van Amsterdam | Hogeschool van Amsterdam ICT Services Leeuwenburg | kamer A9.44 Weesperzijde 190 | 1097 DZ Amsterdam +31 (0)20 525 4885 Mobiel : +31(0) 61013-5880 www.uva.nl<http://www.uva.nl/> uva.nl/profile/g.scharloo Beschikbaar : Ma | - | Wo | Do | Vr | From: wireless-lan <[email protected]<mailto:[email protected]>> on behalf of Gertjan Scharloo <[email protected]<mailto:[email protected]>> Reply-To: wireless-lan <[email protected]<mailto:[email protected]>> Date: Friday, 27 October 2017 at 09:49 To: wireless-lan <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 Hi folks, In a Cisco environment there is a workaround for the client vulnerability : Workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080 and CVE-2017-13081 Please read : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa#workarounds And read https://twitter.com/vanhoefm/status/923651649595478018 Workaround is very simple (!) : Global Config, (CLI only option) config advanced eap eapol-key-retries 0 (5520) >show advanced eap EAP-Identity-Request Timeout (seconds)……….. 30 EAP-Identity-Request Max Retries…………….. 2 EAP Key-Index for Dynamic WEP……………….. 0 EAP Max-Login Ignore Identity Response……….. enable EAP-Request Timeout (seconds)……………….. 30 EAP-Request Max Retries…………………….. 2 EAPOL-Key Timeout (milliseconds)…………….. 1000 EAPOL-Key Max Retries………………………. 0 EAP-Broadcast Key Interval………………….. 3600 Regards, Gertjan Scharloo ICT Consultant _____ Universiteit van Amsterdam | Hogeschool van Amsterdam ICT Services Leeuwenburg | kamer A9.44 Weesperzijde 190 | 1097 DZ Amsterdam +31 (0)20 525 4885 Mobiel : +31(0) 61013-5880 www.uva.nl<http://www.uva.nl/> uva.nl/profile/g.scharloo twitter : wireless_kid Beschikbaar : Ma | - | Wo | Do | Vr | From: wireless-lan <[email protected]<mailto:[email protected]>> on behalf of Jake Snyder <[email protected]<mailto:[email protected]>> Reply-To: wireless-lan <[email protected]<mailto:[email protected]>> Date: Thursday, 19 October 2017 at 15:24 To: wireless-lan <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 You have more faith in the WFA than I. I’m sure our next houses will be Wi-Fi certified Krack-Free. Sent from my iPhone On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) <[email protected]<mailto:[email protected]>> wrote: The specification, like many, was vague in implementation details and practically all vendors chose a poor, insecure design. The only claw in WPA2 was vagueness in the specification. I understand the Wi-Fi Alliance is working on remedying that as well as specifically testing for KRACK in its certification testing. Since many implementations were likely based off the chipmakers reference designs, this is not very surprising. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Marcelo Maraboli [mailto:[email protected]] Sent: Wednesday, October 18, 2017 11:56 AM Subject: Re: Big flaw in WPA2 if it were a Design Flaw, no patch can fix it.... we would need to upgrade to WPA3 or something. the fact that there is patch going on, is that either every implementation is wrong (not likely) or the specification (how to code the Design) did not address boundaries or restrictions that should/must be cared for. or am I wrong ? regards, On 10/16/17 4:32 PM, Hector J Rios wrote: The short answer is Yes. Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Mike Cunningham Sent: Monday, October 16, 2017 1:58 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 If this is a flaw in the design of the WPA2 protocol isn’t the fix going to need to be made on both sides of the communication link? Access points will all need to be updated but also all client wifi drivers are going to need to be updated on all wifi enabled devices that support WPA2, right? Mike Cunningham From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Stephen Belcher Sent: Monday, October 16, 2017 10:40 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 From Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa / Stephen Belcher Assistant Director of Network Operations WVU Information Technology Services One Waterfront Place / PO Box 6500 Morgantown, WV 26506 (304) 293-8440 office (681) 214-3389 mobile [email protected]<mailto:[email protected]> ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Richard Nedwich <[email protected]<mailto:[email protected]>> Sent: Monday, October 16, 2017 10:34:43 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 Ruckus is providing a response today. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ________________________________ This email may contain confidential information about a Pennsylvania College of Technology student. It is intended solely for the use of the recipient. This email may contain information that is considered an “educational record” subject to the protections of the Family Educational Rights and Privacy Act Regulations. The regulations may be found at 34 C.F.R. Part 99 for your reference. The recipient may only use or disclose the information in accordance with the requirements of the Federal Educational Rights and Privacy Act Regulations. If you have received this transmission in error, please notify the sender immediately and permanently delete the email. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/ -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
