We’ve encountered some clients on our wireless network that seems to handle roaming worse than other clients. Our WLC (Cisco 8540) responds by excluding the client after some failed attempts (which, of course, works as it should).

The culprit seems to be that the clients uses old CCKM-data when re-associating/roaming;

“Received Timestamp deviation > 1 sec in REASSOC REQ IE from mobile”

I know this can be tuned (“config wlan security wpa akm cckm timestamp-tolerance”), but that also increases the chance of replay attacks (the WLC even warns about this). However, I’m not sure if this is a “real” security issue in practice? (e.g. raising the tolerance from 1000ms to 5000ms).

Since these are the first clients we’ve observed with this issue, I’m more inclined to ask the vendor to fix the issue on their end, but I know that will be a “fight” (that I’m not sure if I want to have). The “easiest” solution is of course just to increase the tolerance (if that helps, that is).

What is the BCP on this matter?


Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Reply via email to