08-23-2013 05:16 AM - edited 07-04-2021 12:42 AM
HI Everyone,
We like to test the access point for security alert, so we configured dot11 interface with
encryption mode cipers tkip
countermeasuer tkip hold-time 60
1. connected to ssid with manual ip and contionus ping to AP ip
2. in another system telented to ap and issue command
test dot11 tx-bad-mic u
3. issueing above with in 10 secs
Ideally wirless station and AP should disconnected and ping has to stop and reconnect after 60 sec only. But in my case its not even disconnecting
But we are getting msg in console
Mar 1 02:08:02.811: *** Injecting bad TKIP MIC on bcst/mcst
*Mar 1 02:08:02.811: *** Turn OFF injecting bad TKIP MIC
There is any test case for this.Kindly revert
Solved! Go to Solution.
10-16-2013 10:35 PM
Hi Everyone,
Thanks for all.
We got the reply cisco BU.
“Only APs that has AMAC chipset (1131,1232, 1242) applicable to send bad MIC failure, other AP types uses Marvell chipset which is not capable of sending a bad MIC in this manner and since it was only for test purposes, we will not be fixing it so that it will do so. There is no actual reason a customer would ever need to send bad MICs on purpose except to test the functionality of a client, which is what the Wi-Fi Alliance does when it certifies a device.
This command was connected directly to our Cisco chipset used in the 1131, 1232 and 1242 APs and is not extended for use on the Marvell chipset APs. If he needs to do some sort of specific testing of bad MIC frames, he will need to acquire one of those old Cisco APs that support it.”
08-25-2013 05:13 AM
Hello.
I tried to find any documentation about this command but I could not find any.
I find it is a hidden command also on the AP.
This command (as it indicates) generates a bad MIC. I am not sure if the AP can react to the bad MIC that was generated by itself.
What if you try different AP with same AP configured? make another AP generate the bad MIC and see if the first AP will get affected or not.
Make sure that the new AP's radio is up before trying that.
BTW, where did you find this command? any documentation about it?
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
08-26-2013 01:13 AM
Dear Amjad,
One of my customer given checklist to verify the security alert of AP. He only given the command. I requested him to givek model and IOS version and where he checked which is working.
Customer having 1242 AP which i checked first then i checked with 2600 AP also same result.
08-27-2013 08:43 PM
TKIP uses Message Integrity Check (MIC) to detect packets that are replayed or forged. Anyone can send (that is, inject) a TKIP-encrypted packet that has been captured and modified, but those packets are dropped because the MIC and checksum do not match the data carried by the packet. APs using TKIP usually transmit an error report when the first bad MIC is received. If a second bad packet arrives within 60 seconds, the AP stops listening for another minute and then "rekeys" the WLAN, requiring all clients to start using a new "pairwise master key" to generate both the MIC key and those per-packet encryption keys.
08-27-2013 11:30 PM
HI Saurav,
First i will expalin how we tested . I configured the automonus access point and wirless station get connected.
I started the continous ping from station to AP BVI interface and i telneted to AP and give the command test do11 tx-bad-mic u once and again after 10 sec second time same command. As you said second bad packet arrives it has to disconnect the station. But its not disconnecting.
10-16-2013 06:19 PM
TKIP MIC Failure Holdoff Time
Choose if you want to enable the TKIP MIC failure hold time. If you click on Disable Holdoff, the hold time is zero. If you enable it and enter the number of seconds, the access point blocks all TKIP clients on that interface for the number of seconds entered.
10-16-2013 10:35 PM
Hi Everyone,
Thanks for all.
We got the reply cisco BU.
“Only APs that has AMAC chipset (1131,1232, 1242) applicable to send bad MIC failure, other AP types uses Marvell chipset which is not capable of sending a bad MIC in this manner and since it was only for test purposes, we will not be fixing it so that it will do so. There is no actual reason a customer would ever need to send bad MICs on purpose except to test the functionality of a client, which is what the Wi-Fi Alliance does when it certifies a device.
This command was connected directly to our Cisco chipset used in the 1131, 1232 and 1242 APs and is not extended for use on the Marvell chipset APs. If he needs to do some sort of specific testing of bad MIC frames, he will need to acquire one of those old Cisco APs that support it.”
10-19-2013 11:10 PM
This is valuable info. Thank you for sharing.
Rating useful replies is more useful than saying "Thank you"
11-21-2013 02:42 AM
Hello,
Is there a way that I can generate a broadcast mic failure using the command dot11 tx-bad-mic?
The reason why I want this is because, my STA is associated to the AP in WPA/WPA2 mixed mode. In this mode, the broadcast and multicast data are encrypted using TKIP and unicast using AES. So, test the MIC failure for TKIP, I have to generate this failure for broadcast data.
Can anybody please help me with this information?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: