WPA MIC alert questions

Unanswered Question
Nov 3rd, 2008

I have a few questions regarding WPA MIC errors which I seem to encounter quite frequently on the wireless network that I operate.

I'm running on WCS version 4.2.97.0.

On my WLANs, most of them are configured with WPA and WPA2, with both encryption types (TKIP and AES) checked. My auth key mgmt is PSK.

I'm in a university environment so unfortunately most of the laptops connecting to the wireless are personal machines.

My questions are as follows:

1. Does the above configuration sound ideal? I am unsure if it is wise to have both WPA and WPA2 with both encryptions enabled or not. Could this be a cause of the WPA MIC alerts?

2. Also, I seem to recall mention about being able to configure the hold-time when a client triggers the WPA MIC alert. Would it be a good idea to lower the number from a default of 60?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Fri, 11/07/2008 - 12:52

1)Message Integrity Check (MIC) incorporated in Wi-Fi Protected Access (WPA) includes a frame counter which prevents a man-in-the-middle attack. This error means someone in the network is trying to replay the message that was sent by the original client, or it might mean that the client is faulty. If a client repeatedly fails the MIC check, the controller disables that WLAN for 60 seconds as per the WPA protocol requirements. This prevents a possible attack on the encryption scheme. These MIC errors cannot be turned off on the controllers.

2)Use the "countermeasure tkip hold-time" configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.Default is 60 seconds which is a good value to be configured.If needed the time can be reduced.

Actions

This Discussion

 

 

Trending Topics - Security & Network