cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1574
Views
0
Helpful
8
Replies

Cisco ap testing for test dot11 tx-bad-mic u

chandru.j
Level 1
Level 1

HI Everyone,

  We like to test the access point for security alert, so we configured dot11 interface with

  encryption mode cipers tkip

  countermeasuer tkip hold-time 60

1.  connected to ssid with manual ip and contionus ping to AP ip

2.  in another system telented to ap and issue command 

test dot11 tx-bad-mic u

3. issueing above with in 10 secs

Ideally wirless station and AP should disconnected and ping has to stop and reconnect after 60 sec only. But in my case its not even  disconnecting

But we are getting msg in console

Mar 1 02:08:02.811: *** Injecting bad TKIP MIC on bcst/mcst  

*Mar 1 02:08:02.811: *** Turn OFF injecting bad TKIP MIC

There is any test case for this.Kindly revert

1 Accepted Solution

Accepted Solutions

chandru.j
Level 1
Level 1

Hi Everyone,

Thanks for all.

We got the reply cisco BU.

“Only APs that has AMAC chipset (1131,1232, 1242) applicable to send bad MIC failure, other AP types uses Marvell chipset which is not capable of sending a bad MIC in this manner and since it was only for test purposes, we will not be fixing it so that it will do so. There is no actual reason a customer would ever need to send bad MICs on purpose except to test the functionality of a client, which is what the Wi-Fi Alliance does when it certifies a device.

This command was connected directly to our Cisco chipset used in the 1131, 1232 and 1242 APs and is not extended for use on the Marvell chipset APs. If he needs to do some sort of specific testing of bad MIC frames, he will need to acquire one of those old Cisco APs that support it.”

View solution in original post

8 Replies 8

Amjad Abdullah
VIP Alumni
VIP Alumni

Hello.

I tried to find any documentation about this command  but I could not find any.

I find it is a hidden command also on the AP.

This command (as it indicates) generates a bad MIC. I am not sure if the AP can react to the bad MIC that was generated by itself.

What if you try different AP with same AP configured? make another AP generate the bad MIC and see if the first AP will get affected or not.

Make sure that the new AP's radio is up before trying that.

BTW, where did you find this command? any documentation about it?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Dear Amjad,

   One of my customer given checklist to verify the security alert of AP. He only given the command. I requested him to givek model and IOS version and where he checked which is working.

   Customer having 1242 AP which i checked first then i checked with 2600 AP also same result.

Saurav Lodh
Level 7
Level 7

TKIP uses Message Integrity Check (MIC) to detect packets that are replayed or forged. Anyone can send (that is, inject) a TKIP-encrypted packet that has been captured and modified, but those packets are dropped because the MIC and checksum do not match the data carried by the packet. APs using TKIP usually transmit an error report when the first bad MIC is received. If a second bad packet arrives within 60 seconds, the AP stops listening for another minute and then "rekeys" the WLAN, requiring all clients to start using a new "pairwise master key" to generate both the MIC key and those per-packet encryption keys.

HI Saurav,

   First i will expalin how we tested . I configured the automonus access point and wirless station get connected.

   I started the  continous ping from station to AP BVI interface and i telneted to AP and give the command test do11 tx-bad-mic u once and again after 10 sec second time same command. As you said second bad packet arrives it has to disconnect the station. But its not disconnecting.

Abhishek Abhishek
Cisco Employee
Cisco Employee

TKIP MIC Failure Holdoff Time

Choose if you want to enable the TKIP MIC failure hold time. If you click on Disable Holdoff, the hold time is zero. If you enable it and enter the number of seconds, the access point blocks all TKIP clients on that interface for the number of seconds entered.

chandru.j
Level 1
Level 1

Hi Everyone,

Thanks for all.

We got the reply cisco BU.

“Only APs that has AMAC chipset (1131,1232, 1242) applicable to send bad MIC failure, other AP types uses Marvell chipset which is not capable of sending a bad MIC in this manner and since it was only for test purposes, we will not be fixing it so that it will do so. There is no actual reason a customer would ever need to send bad MICs on purpose except to test the functionality of a client, which is what the Wi-Fi Alliance does when it certifies a device.

This command was connected directly to our Cisco chipset used in the 1131, 1232 and 1242 APs and is not extended for use on the Marvell chipset APs. If he needs to do some sort of specific testing of bad MIC frames, he will need to acquire one of those old Cisco APs that support it.”

This is valuable info. Thank you for sharing.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Hello,

Is there a way that I can generate a broadcast mic failure using the command dot11 tx-bad-mic?

The reason why I want this is because, my STA is associated to the AP in WPA/WPA2 mixed mode. In this mode, the broadcast and multicast data are encrypted using TKIP and unicast using AES. So, test the MIC failure for TKIP, I have to generate this failure for broadcast data.

Can anybody please help me with this information?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: