×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Microsoft Windows 7 clients sends M2 key message with Invalid MIC

Document

Fri, 08/11/2017 - 00:11
May 17th, 2014
User Badges:
  • Cisco Employee,
Description:

Windows 7 clients connecting to wireless networks with WPA2 and session timeout may get disconnected during the key exchange after re-authentication.

This is because on the re-keying process the Win7 clients are sending message M2 with what the WLC considers to be a MIC error. "debug client" on the WLC will show messages similar to the following:

*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: xx:xx:xx:xx:xx:xx EAPOL-key M2 with invalid secure bit (set) received from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: xx:xx:xx:xx:xx:xx Received EAPOL-key M2 with invalid MIC from mobile xx:xx:xx:xx:xx:xx
*osapiBsnTimer: Apr 01 23:27:39.427: xx:xx:xx:xx:xx:xx 802.1x 'timeoutEvt' Timer expired for station xx:xx:xx:xx:xx:xx and for message = M2
*dot1xMsgTask: Apr 01 23:27:39.427: xx:xx:xx:xx:xx:xx Retransmit 1 of EAPOL-Key M1 (length 121) for mobile xx:xx:xx:xx:xx:xx


Usually at this point, the WLC will retransmit the M1, and then the second time the client sends its M2, it will not have an invalid MIC, and the key exchange will succeed.

How to reproduce:

- configure a WLAN with WPA2 + 802.1x (local EAP or RADIUS)
- Enable session timeout.
- Bring any Windows 7 device.
- connect to the wlan, complete authentication..
- wait for the session timeout

This problem can be mitigated by reducing the EAPOL key retransmission timeout (e.g. "config advanced eap eapol-key-timeout 300")  Do be aware that reducing this value might negatively impact key negotiations with some very old and slow clients.

- Issue is not seen with WPA-TKIP or if session timeout is disabled.
- This problem is seen with all client chipsets.

A bug has been filed to track and document this issue:

CSCuh22382  Windows 7 sends M2 key message message with Invalid MIC

The bug is in junked state as this is a Microsoft not a Cisco bug.

Microsoft confirmed this bug and are currently working on a Hotfix to mitigate it. 
=============== Update 4 June 2014 ===============

Microsoft updated that they are not going to include the fix in Windows update or issue a Hotfix. Fix can be provided on case-by-case basis. As mentioned, this issue can be mitigated by reducing the EAPoL key timeout. The issue was first seen with timeout value of 3ms. When reducing this value to 1msec the issue was fixed. 



=============== Update August 2017 ===============

Microsoft fix for this issue:

Win7/Server 2008 R2:

https://support.microsoft.com/en-us/help/3094412/wireless-connection-is-...

 

Win8.1/Server 2012 R2:

https://support.microsoft.com/en-us/help/4025335/windows-8-1-windows-ser...

 

This has also been fixed in Win10/Server 2016, build 10586 

 

 

Loading.

Actions

This Document

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode