Ok good but who is doing WPA today. WPA2/AES is the only encryption we use (and everyone else should use as well ) and as far I know this is where the bug will bite us. I was under the impression that Cisco would release a patch today for the 7.0 train.
Cheers Anders Nilsson Umeå university SUNET Sweden -----Ursprungligt meddelande----- Från: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] För Ian McDonald Skickat: den 3 september 2012 10:33 Till: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Ämne: Re: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. I've checked with a Cisco Engineer and this is a non-issue. It is Cisco being pro-active about fixing the bug so that 11w capable clients can join the Cisco wireless network. Below is what the Cisco engineer explained. The bug is CSCua29504: 802.11w-capable client fails a pairwise key handshake with AES 802.11w capable clients using WPA/WPA2 with AES, and will not be able to successfully connect to Cisco Controller-based Access Points configured with CUWN releases 5.2.178.0 to 7.2.110.0. This bug does not impact customers running WPA/TKIP. It does not impact releases prior to 5.2.178.0, nor does it impact standalone (autonomous) releases. The 7.3 release, (posted on August 30th 2012) fixes this interoperability issue. So, if you intend on supporting clients with 802.11w, (which will not be broadly available until the November / December timeframe this year), Cisco recommends upgrading the Wireless LAN Controllers to the new 7.3 code which is available on Cisco CCO. However, if for some reason you do not want to move forward to the 7.3 release then the same fix will be posted by the end of September in the 7.0 and 7.2 code trains - thus eliminating the issue from all supported software versions. -- ian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Anders Nilsson Sent: 30 August 2012 06:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Importance: High Hi, I'm forwarding this from a colleague in the UK which looks rather serious. I've not yet read it through but found it so urgent that I'll forward it right away. Cheers Anders Nilsson Umeå university SUNET Sweden From: "Paul Hill (phill)" <ph...@cisco.com> Subject: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Date: August 29, 2012 21:22:20 GMT+02:00 To: wireless-ad...@jiscmail.ac.uk Reply-To: Wireless Issues in the JANET community <wireless-ad...@jiscmail.ac.uk> Hi all, I wanted to pre-advise colleagues in advance of a formal Field Notice coming out shortly that a serious software bug exists in all Cisco centralised wireless controller versions which support pre-standard Management Frame Protection (MFP) that will render Windows 8 devices completely unable to connect to Cisco APs under centralised control, with no easy workaround. This will affect every institution on the list using Cisco centralised wireless so I hope the non-Cisco colleagues won't mind this broadcast as it's quite important to avoid clients starting to pop up that can't connect for no apparent reason. Cisco has asked every employee, every partner and every other contractor we have a relationship with to proactively reach out to our/their customers to advise of this problem - so you might hear this twice or more from various contacts / lists / sources over the coming weeks. Problem: Microsoft Windows 8, to be released on October 26th, is among the first clients to support IEEE 802.11w natively in the OS. Clients running 802.11w fail to connect to Cisco's MFP capable APs because of interoperability issues in the service capability negotiation. It is /not/ possible to address this by simply disabling MFP on the Cisco Infrastructure, and Microsoft confirm that Windows 8 does not provide any way (e.g., RegKey, Group Policy) to turn off 802.11w as it is considered a positive feature to always have turned on for security purposes. The Cisco bug ID tracking this is CSCua29504. Solution: The only two solutions are: 1. Update the Controller code to a fixed version. 2. Downgrade to a pre-Windows 8 wireless NIC driver on the client device - where that option is available - as 802.11w is NIC driver and/or supplicant dependant. The only allowance Windows 8 makes is to not enforce 802.11w on pre-Windows 8 driver sets which will not work with most vendors' NICs otherwise. Clearly, the support implications of advising end users to do this will not scale, will not work indefinitely, and Cisco is not relying on this option as any kind of sustainable or permanent workaround. The plan is to patch the bug so that Windows 8 and other 802.11w capable clients can connect to Cisco infrastructure on the 7.0 code train (Early September), 7.2 code train (Late September) and 7.3 first release code train (Available by the end of August). This fix does not implement 802.11w but instead ensures that the communication from 802.11w enabled clients is interpreted correctly by the Access Point. There are no plans to patch this on the 5.0, 5.1, 5.2, 6.0 and 7.1 code-trains which have passed their End of Software Maintenance (EoSM) or End of Life (EoL) dates, and so 7.0 is the minimum release to move to if still running <=7.0 and needing the fix; and 7.2 if running 7.1. This issue does not affect version 4.2 and previous. Finally, the IEEE standard version of MFP - 802.11w (called Protected Management Frames - PMF) - will be supported in 7.4 (early Q1 2013). For now, I would advise scheduling a software upgrade window on your Cisco controllers ready for when the fixed code versions are released (if not wishing, or not able due to controller model, to adopt 7.3 soon). This will avoid a flurry of user support cases coming in the day they start arriving on campus with Windows 8 devices on or soon after launch. The route to obtain the fixed software versions is via your normal support channel. It goes without saying that this is a deeply unfortunate situation to have arisen, but I hope you won't shoot the messenger! :-) As bugs go this is right up there as quite a stunner. I expect to be quite busy over the next few months across Public Sector as this ripples out to customers who have not been reachable in advance for whatever reason. Please feel free to share this as widely as possible with any colleagues or other institutions you believe would be interested that are not on this list. Regards, Paul -- Paul A. Hill CCDP, CCNP Wireless, CWNP Inc. CWDP & CWSP Head of Wireless Technologies, Public Sector UK Cisco Systems Ltd. E-mail: ph...@cisco.com 10 New Square Direct Tel: +44 (0)20 8824 8534 Bedfont Lakes Direct Fax: +44 (0)20 7900 2337 Feltham Mobile *: As Direct Telephone Middlesex Main Tel: +44 (0)20 8824 1000 TW14 8HA Main Fax: +44 (0)20 8824 1001 United Kingdom Voicemail: 844 48534 * Single Number Reach rings all of my contact devices simultaneously. Cisco Systems Limited (Company Number: 02558939), is registered in England and Wales with its registered office at 1 Callaghan Square, Cardiff, South Glamorgan CF10 5BT. This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
