I just tested the latest Windows 8 version to be released (Windows 8 Enterprise Evaluation build 9200) and I can connect to our secure WLANs with WPA2/AES. Our controllers are running version 7.0.230.0. It seems Microsoft has fixed this issue on Win 8?
--- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Christopher Wieringa" <cwier...@calvin.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, September 13, 2012 10:51:56 AM Subject: Re: [WIRELESS-LAN] [WLAN] Fwd: Advance notice: Microsoft Windows 8 and Cisco centralised wireless incompatibility. Just as an FYI for those running Cisco, I noticed today that 7.0.235.3 was released on Sep 11 2012 for both 4400 series and 5508 series controllers. One of the resolved caveats is bug CSCua29504 which is the Windows 8 802.11w-capable client bug. Chris Wieringa >>> On 9/3/2012 at 5:55 AM, Anders Nilsson <anders.nils...@adm.umu.se> wrote: > Ok good but who is doing WPA today. WPA2/AES is the only encryption we use > (and everyone else should use as well ) and as far I know this is where the > bug will bite us. > I was under the impression that Cisco would release a patch today for the > 7.0 train. > > Cheers > Anders Nilsson > Umeå university > SUNET Sweden > > -----Ursprungligt meddelande----- > Från: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] För Ian McDonald > Skickat: den 3 september 2012 10:33 > Till: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Ämne: Re: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 > and Cisco centralised wireless incompatibility. > > I've checked with a Cisco Engineer and this is a non-issue. It is Cisco being > pro-active about fixing the bug so that 11w capable clients can join the Cisco > wireless network. Below is what the Cisco engineer explained. > > The bug is CSCua29504: 802.11w-capable client fails a pairwise key handshake > with AES 802.11w capable clients using WPA/WPA2 with AES, and will not be > able to successfully connect to Cisco Controller-based Access Points > configured with CUWN releases 5.2.178.0 to 7.2.110.0. This bug does not > impact customers running WPA/TKIP. > It does not impact releases prior to 5.2.178.0, nor does it impact > standalone (autonomous) releases. > > The 7.3 release, (posted on August 30th 2012) fixes this interoperability > issue. So, if you intend on supporting clients with 802.11w, (which will not > be broadly available until the November / December timeframe this year), > Cisco recommends upgrading the Wireless LAN Controllers to the new 7.3 code > which is available on Cisco CCO. However, if for some reason you do not want > to move forward to the 7.3 release then the same fix will be posted by the > end of September in the 7.0 and 7.2 code trains - thus eliminating the issue > from all supported software versions. > > -- > ian > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Anders Nilsson > Sent: 30 August 2012 06:25 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] FWD: [WLAN] Fwd: Advance notice: Microsoft Windows 8 > and Cisco centralised wireless incompatibility. > Importance: High > > Hi, > > I'm forwarding this from a colleague in the UK which looks rather serious. > I've not yet read it through but found it so urgent that I'll forward it > right away. > > Cheers > Anders Nilsson > Umeå university > SUNET Sweden > > From: "Paul Hill (phill)" <ph...@cisco.com> > Subject: Advance notice: Microsoft Windows 8 and Cisco centralised wireless > incompatibility. > Date: August 29, 2012 21:22:20 GMT+02:00 > To: wireless-ad...@jiscmail.ac.uk > Reply-To: Wireless Issues in the JANET community <wireless-ad...@jiscmail.ac.uk> > > Hi all, > > I wanted to pre-advise colleagues in advance of a formal Field Notice coming > out shortly that a serious software bug exists in all Cisco centralised > wireless controller versions which support pre-standard Management Frame > Protection (MFP) that will render Windows 8 devices completely unable to > connect to Cisco APs under centralised control, with no easy workaround. > > This will affect every institution on the list using Cisco centralised > wireless so I hope the non-Cisco colleagues won't mind this broadcast as it's > quite important to avoid clients starting to pop up that can't connect for no > apparent reason. Cisco has asked every employee, every partner and every > other contractor we have a relationship with to proactively reach out to > our/their customers to advise of this problem - so you might hear this twice > or more from various contacts / lists / sources over the coming weeks. > > Problem: Microsoft Windows 8, to be released on October 26th, is among the > first clients to support IEEE 802.11w natively in the OS. Clients running > 802.11w fail to connect to Cisco's MFP capable APs because of > interoperability issues in the service capability negotiation. It is /not/ > possible to address this by simply disabling MFP on the Cisco Infrastructure, > and Microsoft confirm that Windows 8 does not provide any way (e.g., RegKey, > Group Policy) to turn off 802.11w as it is considered a positive feature to > always have turned on for security purposes. The Cisco bug ID tracking this > is CSCua29504. > > Solution: The only two solutions are: > 1. Update the Controller code to a fixed version. > 2. Downgrade to a pre-Windows 8 wireless NIC driver on the client device - > where that option is available - as 802.11w is NIC driver and/or supplicant > dependant. The only allowance Windows 8 makes is to not enforce 802.11w on > pre-Windows 8 driver sets which will not work with most vendors' NICs > otherwise. Clearly, the support implications of advising end users to do this > will not scale, will not work indefinitely, and Cisco is not relying on this > option as any kind of sustainable or permanent workaround. > > The plan is to patch the bug so that Windows 8 and other 802.11w capable > clients can connect to Cisco infrastructure on the 7.0 code train (Early > September), 7.2 code train (Late September) and 7.3 first release code train > (Available by the end of August). > > This fix does not implement 802.11w but instead ensures that the > communication from 802.11w enabled clients is interpreted correctly by the > Access Point. > There are no plans to patch this on the 5.0, 5.1, 5.2, 6.0 and 7.1 > code-trains which have passed their End of Software Maintenance (EoSM) or > End of Life > (EoL) dates, and so 7.0 is the minimum release to move to if still running > <=7.0 and needing the fix; and 7.2 if running 7.1. This issue does not > affect version 4.2 and previous. > > Finally, the IEEE standard version of MFP - 802.11w (called Protected > Management Frames - PMF) - will be supported in 7.4 (early Q1 2013). > > For now, I would advise scheduling a software upgrade window on your Cisco > controllers ready for when the fixed code versions are released (if not > wishing, or not able due to controller model, to adopt 7.3 soon). This will > avoid a flurry of user support cases coming in the day they start arriving on > campus with Windows 8 devices on or soon after launch. The route to obtain > the fixed software versions is via your normal support channel. > > It goes without saying that this is a deeply unfortunate situation to have > arisen, but I hope you won't shoot the messenger! :-) As bugs go this is right > up there as quite a stunner. I expect to be quite busy over the next few > months across Public Sector as this ripples out to customers who have not > been reachable in advance for whatever reason. > > Please feel free to share this as widely as possible with any colleagues or > other institutions you believe would be interested that are not on this list. > > Regards, > Paul > -- > Paul A. Hill CCDP, CCNP Wireless, CWNP Inc. CWDP & CWSP Head of Wireless > Technologies, Public Sector UK > > Cisco Systems Ltd. E-mail: ph...@cisco.com > 10 New Square Direct Tel: +44 (0)20 8824 8534 Bedfont Lakes > Direct Fax: +44 (0)20 7900 2337 Feltham Mobile *: As > Direct Telephone Middlesex Main Tel: +44 (0)20 8824 1000 > TW14 8HA Main Fax: +44 (0)20 8824 1001 United Kingdom > Voicemail: 844 48534 > * Single Number Reach rings all of my contact devices simultaneously. > > Cisco Systems Limited (Company Number: 02558939), is registered in England > and Wales with its registered office at 1 Callaghan Square, Cardiff, South > Glamorgan CF10 5BT. > > This e-mail may contain confidential and privileged material for the sole use > of the intended recipient. Any review, use, distribution or disclosure by > others is strictly prohibited. If you are not the intended recipient (or > authorised to receive for the recipient), please contact the sender by reply > e-mail and delete all copies of this message. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. -- -- Chris Wieringa cwier...@calvin.edu Sr. Systems Engineer Calvin Information Technology ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
