Upon upgrading a test access point from IOS 12.3(8)JA2 to IOS 12.4(3g)JA/IOS 12.4(3g)JA1, clients using Dot1x/EAP Authentication and WPA/TKIP Encryption fail to authenticate with the Access Point. They go into an associate, authenticate, client cancels authentication, de-associate, associate... cycle. Logs from the Radius Server indicate authentication was successful and debug logs from the Access Point confirm this.
After on-site troubleshooting & client debugs/packet sniffing, the problem symptoms are exactly the same as detailed in Bug CSCsi02700 (in both the Bug Toolkit & IOS Release Notes).
The difference is the platform (an AP1131 platform, rather than AP1231) and the suggested workaround does not solve the problem (all SSIDs are configured to only use WPA key-management, AES is not used).
Client side (Vista/Intel 3945 ABG wireless card) tracing seems to reveal a zero-length key in one of the handshake packets:
 11:59:40.708 Port<165> 0336A878 Start Processing Event <MSMSEC_PORT_PRIVATE_EVENT_KEY_PACKET>
 11:59:40.708 Key received for port XX:XX:XX:XX:XX:XX
 11:59:40.708 WPA Key Receive: AP:XX:XX:XX:XX:XX -> CL:XX:XX:XX:XX:XX
 11:59:40.708 Received replay counter 2, current replay counter 0
 11:59:40.708 WPA Key info: Mic 1, Secure 0, Error 0, Request 0, Ver 1, Type 1, Index 0, Install 1, Ack 1
 11:59:40.708 Reserved fields: Reserved1 0
 11:59:40.708 WPA Key Receive: Key Message M3
 11:59:40.708 WPA Message 3: KeyLength = 32, MIC = 1, Ack = 1, Secure 0
 11:59:40.708 No key data in M3
 11:59:40.708 M3 key data invalid
 11:59:40.708 CRITICAL: Validating M3 data failed (L2 294918), giving up
 11:59:40.708 CRITICAL: Reason is 294918
 11:59:40.708 Port<165> Supplicant failed (Reason 294918), self CL:XX:XX:XX:XX:XX, peer AP:XX:XX:XX:XX:XX
The access point has both multiple SSIDs (using MBSSID) and multiple Vlans. Clients using WPA-PSK seem to work just fine with the new IOS version.
No other workarounds seem to be viable, and the problem is present when using either Dot11Radio0 (B/G) or Dot11Radio1 (A). Downgrading the Access point back to 12.3(8)JA2 solves the problem.
Has anyone else experienced this problem? Or can anyone else clarify whether the Release Notes are not accurate in detailing the scope of this bug/caveat?