Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

invalid MIC from Mobile Device

Hello guys,

i have two media tablets same hardware same driver. One is working proper and the other one is not able to associate with my ssid.

the debug out shows the follow:

*dot1xMsgTask: Feb 06 14:51:25.007: a8:54:b2:00:8b:34 Starting key exchange to mobile a8:54:b2:00:8b:34, data packets will be dropped

*dot1xMsgTask: Feb 06 14:51:25.007: a8:54:b2:00:8b:34 Sending EAPOL-Key Message to mobile a8:54:b2:00:8b:34

                                                                                                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Received EAPOL-Key from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Received EAPOL-key in PTK_START state (message 2) from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Received EAPOL-key M2 with invalid MIC from mobile a8:54:b2:00:8b:34 version 2

*osapiBsnTimer: Feb 06 14:51:26.173: a8:54:b2:00:8b:34 802.1x 'timeoutEvt' Timer expired for station a8:54:b2:00:8b:34 and for message = M2

*dot1xMsgTask: Feb 06 14:51:26.173: a8:54:b2:00:8b:34 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:26.257: a8:54:b2:00:8b:34 Received EAPOL-Key from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:26.257: a8:54:b2:00:8b:34 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:26.257: a8:54:b2:00:8b:34 Received EAPOL-key in PTK_START state (message 2) from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:26.257: a8:54:b2:00:8b:34 Received EAPOL-key M2 with invalid MIC from mobile a8:54:b2:00:8b:34 version 2

*osapiBsnTimer: Feb 06 14:51:27.173: a8:54:b2:00:8b:34 802.1x 'timeoutEvt' Timer expired for station a8:54:b2:00:8b:34 and for message = M2

*dot1xMsgTask: Feb 06 14:51:27.173: a8:54:b2:00:8b:34 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:27.197: a8:54:b2:00:8b:34 Received EAPOL-Key from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:27.197: a8:54:b2:00:8b:34 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:27.197: a8:54:b2:00:8b:34 Received EAPOL-key in PTK_START state (message 2) from mobile a8:54:b2:00:8b:34

*Dot1x_NW_MsgTask_4: Feb 06 14:51:27.197: a8:54:b2:00:8b:34 Received EAPOL-key M2 with invalid MIC from mobile a8:54:b2:00:8b:34 version 2

*osapiBsnTimer: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 802.1x 'timeoutEvt' Timer expired for station a8:54:b2:00:8b:34 and for message = M2

*dot1xMsgTask: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 Retransmit failure for EAPOL-Key M1 to mobile a8:54:b2:00:8b:34, retransmit count 3, mscb deauth count 2

*dot1xMsgTask: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 Resetting MSCB PMK Cache Entry 0 for station a8:54:b2:00:8b:34

*dot1xMsgTask: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 Removing BSSID 34:db:fd:67:89:2a from PMKID cache of station a8:54:b2:00:8b:34

*dot1xMsgTask: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 Setting active key cache index 0 ---> 8

*dot1xMsgTask: Feb 06 14:51:28.173: a8:54:b2:00:8b:34 Sent Deauthenticate to mobile on BSSID 34:db:fd:67:89:20 slot 1(caller 1x_ptsm.c:546)


config of the SSID:

(Cisco Controller) >show wlan 6

WLAN Identifier.................................. 6

Profile Name..................................... Medientechnik

Network Name (SSID).............................. Medientechnik

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 1

Exclusionlist.................................... Disabled

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 300 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... KPSS_WLC1

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ medientechnik

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

--More-- or (q)uit

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Enabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Disabled

   Accounting.................................... Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

--More-- or (q)uit

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Disabled

         PSK..................................... Enabled

         CCKM.................................... Disabled

         FT-1X(802.11r).......................... Disabled

         FT-PSK(802.11r)......................... Disabled

         PMF-1X(802.11w)......................... Disabled

         PMF-PSK(802.11w)........................ Disabled

      FT Reassociation Timeout................... 20

      FT Over-The-DS mode........................ Enabled

      GTK Randomization.......................... Disabled

      SKC Cache Support.......................... Disabled

--More-- or (q)uit

      CCKM TSF Tolerance......................... 1000

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   FlexConnect Local Switching................... Disabled

   flexconnect Central Dhcp Flag................. Disabled

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Enabled

   Client MFP.................................... Disabled

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

--More-- or (q)uit

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled





(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.4.110.0

Bootloader Version............................... 1.0.1

Field Recovery Image Version..................... 6.0.182.0

Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27

Build Type....................................... DATA + WPS



My understanding is that because of the invalid MIC the WLC interpret that the frames are corrupt ?

What could be the problem ?

Thanks for your help !!!!

Kind regards

Philip

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: invalid MIC from Mobile Device

HI philip,

As per this logs:


*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Received EAPOL-key M2 with invalid MIC from mobile a8:54:b2:00:8b:34 version 2

*osapiBsnTimer: Feb 06 14:51:26.173: a8:54:b2:00:8b:34 802.1x 'timeoutEvt' Timer expired for station a8:54:b2:00:8b:34 and for message = M2

Means , you have entered the wrong pre shared key.

Just check again and  enter the correct key.

Reagrds

Dont forget to rate helpful posts

6 REPLIES
VIP Purple

Re: invalid MIC from Mobile Device

HI philip,

As per this logs:


*Dot1x_NW_MsgTask_4: Feb 06 14:51:25.027: a8:54:b2:00:8b:34 Received EAPOL-key M2 with invalid MIC from mobile a8:54:b2:00:8b:34 version 2

*osapiBsnTimer: Feb 06 14:51:26.173: a8:54:b2:00:8b:34 802.1x 'timeoutEvt' Timer expired for station a8:54:b2:00:8b:34 and for message = M2

Means , you have entered the wrong pre shared key.

Just check again and  enter the correct key.

Reagrds

Dont forget to rate helpful posts

Community Member

invalid MIC from Mobile Device

yep thanks a lot problem resolved

customer.... told them three times to put in the key again

wlan & remote =! working weel ^^

cheers

Philip

VIP Purple

invalid MIC from Mobile Device

If this is resolved then can u marked as answered, it may help others.

Regards

Dont forget to rate helpful posts

Community Member

invalid MIC from Mobile Device

802.11n and Apple iPad, Cisco Cius tablet, and Apple iPhone 4

Each Wi-Fi enabled phone and tablet that supports 802.11n has specific antenna and channel configurations. Specifications for each device are listed on the manufacturer's website. Because these devices are 802.11n-enabled, they can use 802.11n enhancements such as MIMO and frame aggregation to help improve their upstream and downstream performance. The specifications for the Apple iPad, Cisco Cius, and Apple iPhone 4 follow:

• The Apple iPad is a one-spatial stream (single antenna) 802.11n-enabled device that operates in 2.4- and 5-GHz spectrums using 20-MHz channels.

• The Cisco Cius tablet is a one-spatial stream (single antenna) 802.11n-enabled device that operates in the 2.4-GHz spectrum using 20-MHz channels and the 5-GHz spectrum using 20- or 40-MHz channels.

• The Apple iPhone 4 is a one-spatial stream 802.11n-enabled device that operates in only the 2.4-GHz spectrum using 20-MHz channels.

How to Optimize 802.11n WLANs to Support Wi-Fi Enabled Phones and Tablets

The following steps are recommended to help optimize a Cisco Unified Wireless Network 802.11n deployment to more effectively support the Apple iPad, Apple iPhone 4, Cisco Cius tablet, and other Wi-Fi phones, tablets, or clients with similar wireless profiles.

invalid MIC from Mobile Device

Basant,

Good response. Just one note the newer iPads are 2x2:2 ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

invalid MIC from Mobile Device

!--- This signals the start of validation of message 4 (MIC), which

!--- means client installed the keys. Potential errors after this message

!--- are MIC validation errors, invalid key types, etc.

560
Views
0
Helpful
6
Replies
CreatePlease to create content