Hi All, I questioned our Cisco SE about this and he passed along the following bug description. As you'll read this affects WPA/WPA2-AES only. I've tested and confirmed WPA/TKIP works fine. The message is a bit misleading in my view.
-Pete 802.11w-capable client fails pairwise key handshake with AES. Symptom: An 802.11w-capable client, such as a PC running Windows 8, cannot connect to an SSID using WPA or WPA2 key management with AES encryption. The AP will send the M1 pairwise key message, but the PC will never respond with M2. With "debug client" in effect, a message similar to the following will be seen: *dot1xMsgTask: Jun 12 20:23:37.471: 00:11:22:33:44:55 Retransmit failure for EAPOL-Key M1 to mobile 00:11:22:33:44:55, retransmit count 5, mscb deauth count 0 Conditions: Client is 802.11w-capable, wireless infrastructure is CUWN, SSID using WPA2/AES or WPA/AES. This bug affects CUWN 5.2.178.0 and above, but not CUWN 4.2 or earlier, nor does it affect autonomous IOS APs. Workaround: Use WPA/TKIP or WPA2/TKIP instead. Note that this will limit the client to 802.11g/802.11a data rates. Another workaround is to use a Windows 7, rather than Windows 8 driver, for the Adapter. Status <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> Fixed (Resolved) Severity <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> 2 - severe Last Modified <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> In Last 2 weeks Product <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> Cisco 5500 Series Wireless Controllers Technology <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> 1st Found-In <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> 5.2(178.0) 6.0(183.0) 7.0(98.0) 7.2(103.0) 7.2(104.20) Fixed-In <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> 7.0(236.0) 7.3(1.67) 7.2(110.4) 7.0(235.1) 7.2(111.1) 7.4(1.20) Component(s) <http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html> wlc-security From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Anders Nilsson Sent: Thursday, August 30, 2012 8:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] SV: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Hi Lee (and you other out there) Well actually after talking with my colleagues I found that those who had tested eduroam on Win8 didn't experience any problems at all and we are running version 7.0.230 on older WiSM's. I suspect that the problem as you say might be the drivers on certain WiFi chip sets. At least the driver for Intel 5300 chipset. ;) Cheers Anders Från: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]<mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]> För Lee H Badman Skickat: den 30 augusti 2012 12:22 Till: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Ämne: Re: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Interesting, but we run 7.2 code, and so far only see driver issues on Win 8 machines. If newer driver available, usually gets the Win 8 machine right on our wireless networks. Wonder what we're missing... Sent from an Etch-a-Sketch. Please excuse squiggly lines. On Aug 30, 2012, at 1:25, "Anders Nilsson" <anders.nils...@adm.umu.se<mailto:anders.nils...@adm.umu.se>> wrote: Hi, I'm forwarding this from a colleague in the UK which looks rather serious. I've not yet read it through but found it so urgent that I'll forward it right away. Cheers Anders Nilsson Umeå university SUNET Sweden From: "Paul Hill (phill)" <ph...@cisco.com<mailto:ph...@cisco.com>> Subject: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Date: August 29, 2012 21:22:20 GMT+02:00 To: wireless-ad...@jiscmail.ac.uk<mailto:wireless-ad...@jiscmail.ac.uk> Reply-To: Wireless Issues in the JANET community <wireless-ad...@jiscmail.ac.uk<mailto:wireless-ad...@jiscmail.ac.uk>> Hi all, I wanted to pre-advise colleagues in advance of a formal Field Notice coming out shortly that a serious software bug exists in all Cisco centralised wireless controller versions which support pre-standard Management Frame Protection (MFP) that will render Windows 8 devices completely unable to connect to Cisco APs under centralised control, with no easy workaround. This will affect every institution on the list using Cisco centralised wireless so I hope the non-Cisco colleagues won't mind this broadcast as it's quite important to avoid clients starting to pop up that can't connect for no apparent reason. Cisco has asked every employee, every partner and every other contractor we have a relationship with to proactively reach out to our/their customers to advise of this problem - so you might hear this twice or more from various contacts / lists / sources over the coming weeks. Problem: Microsoft Windows 8, to be released on October 26th, is among the first clients to support IEEE 802.11w natively in the OS. Clients running 802.11w fail to connect to Cisco's MFP capable APs because of interoperability issues in the service capability negotiation. It is /not/ possible to address this by simply disabling MFP on the Cisco Infrastructure, and Microsoft confirm that Windows 8 does not provide any way (e.g., RegKey, Group Policy) to turn off 802.11w as it is considered a positive feature to always have turned on for security purposes. The Cisco bug ID tracking this is CSCua29504. Solution: The only two solutions are: 1. Update the Controller code to a fixed version. 2. Downgrade to a pre-Windows 8 wireless NIC driver on the client device - where that option is available - as 802.11w is NIC driver and/or supplicant dependant. The only allowance Windows 8 makes is to not enforce 802.11w on pre-Windows 8 driver sets which will not work with most vendors' NICs otherwise. Clearly, the support implications of advising end users to do this will not scale, will not work indefinitely, and Cisco is not relying on this option as any kind of sustainable or permanent workaround. The plan is to patch the bug so that Windows 8 and other 802.11w capable clients can connect to Cisco infrastructure on the 7.0 code train (Early September), 7.2 code train (Late September) and 7.3 first release code train (Available by the end of August). This fix does not implement 802.11w but instead ensures that the communication from 802.11w enabled clients is interpreted correctly by the Access Point. There are no plans to patch this on the 5.0, 5.1, 5.2, 6.0 and 7.1 code-trains which have passed their End of Software Maintenance (EoSM) or End of Life (EoL) dates, and so 7.0 is the minimum release to move to if still running <=7.0 and needing the fix; and 7.2 if running 7.1. This issue does not affect version 4.2 and previous. Finally, the IEEE standard version of MFP - 802.11w (called Protected Management Frames - PMF) - will be supported in 7.4 (early Q1 2013). For now, I would advise scheduling a software upgrade window on your Cisco controllers ready for when the fixed code versions are released (if not wishing, or not able due to controller model, to adopt 7.3 soon). This will avoid a flurry of user support cases coming in the day they start arriving on campus with Windows 8 devices on or soon after launch. The route to obtain the fixed software versions is via your normal support channel. It goes without saying that this is a deeply unfortunate situation to have arisen, but I hope you won't shoot the messenger! :-) As bugs go this is right up there as quite a stunner. I expect to be quite busy over the next few months across Public Sector as this ripples out to customers who have not been reachable in advance for whatever reason. Please feel free to share this as widely as possible with any colleagues or other institutions you believe would be interested that are not on this list. Regards, Paul -- Paul A. Hill CCDP, CCNP Wireless, CWNP Inc. CWDP & CWSP Head of Wireless Technologies, Public Sector UK Cisco Systems Ltd. E-mail: ph...@cisco.com<mailto:ph...@cisco.com> 10 New Square Direct Tel: +44 (0)20 8824 8534 Bedfont Lakes Direct Fax: +44 (0)20 7900 2337 Feltham Mobile *: As Direct Telephone Middlesex Main Tel: +44 (0)20 8824 1000 TW14 8HA Main Fax: +44 (0)20 8824 1001 United Kingdom Voicemail: 844 48534 * Single Number Reach rings all of my contact devices simultaneously. Cisco Systems Limited (Company Number: 02558939), is registered in England and Wales with its registered office at 1 Callaghan Square, Cardiff, South Glamorgan CF10 5BT. This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ________________________________ This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. -------------------- This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. -------------------- This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.