Windows 7 clients connecting to wireless networks with WPA2 and session timeout may get disconnected during the key exchange after re-authentication.
This is because on the re-keying process the Win7 clients are sending message M2 with what the WLC considers to be a MIC error. "debug client" on the WLC will show messages similar to the following:
*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: xx:xx:xx:xx:xx:xx EAPOL-key M2 with invalid secure bit (set) received from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: xx:xx:xx:xx:xx:xx Received EAPOL-key M2 with invalid MIC from mobile xx:xx:xx:xx:xx:xx
*osapiBsnTimer: Apr 01 23:27:39.427: xx:xx:xx:xx:xx:xx 802.1x 'timeoutEvt' Timer expired for station xx:xx:xx:xx:xx:xx and for message = M2
*dot1xMsgTask: Apr 01 23:27:39.427: xx:xx:xx:xx:xx:xx Retransmit 1 of EAPOL-Key M1 (length 121) for mobile xx:xx:xx:xx:xx:xx
Usually at this point, the WLC will retransmit the M1, and then the second time the client sends its M2, it will not have an invalid MIC, and the key exchange will succeed.
How to reproduce:
- configure a WLAN with WPA2 + 802.1x (local EAP or RADIUS)
- Enable session timeout.
- Bring any Windows 7 device.
- connect to the wlan, complete authentication..
- wait for the session timeout
This problem can be mitigated by reducing the EAPOL key retransmission timeout (e.g. "config advanced eap eapol-key-timeout 300") Do be aware that reducing this value might negatively impact key negotiations with some very old and slow clients.
- Issue is not seen with WPA-TKIP or if session timeout is disabled.
- This problem is seen with all client chipsets.
A bug has been filed to track and document this issue:
CSCuh22382Windows 7 sends M2 key message message with Invalid MIC
The bug is in junked state as this is a Microsoft not a Cisco bug.
Microsoft confirmed this bug and are currently working on a Hotfix to mitigate it.
=============== Update 4 June 2014 ===============
Microsoft updated that they are not going to include the fix in Windows update or issue a Hotfix. Fix can be provided on case-by-case basis. As mentioned, this issue can be mitigated by reducing the EAPoL key timeout. The issue was first seen with timeout value of 3ms. When reducing this value to 1msec the issue was fixed.
=============== Update August 2017 ===============