Part of the problem is how sensitive TKIP is to errors in the MIC. It only takes two Michael failures in a 60 second period to trigger a rekeying. I think they went overboard in trying to correct just how bad WEP was and is by making TKIP very strong, relatively speaking. TKIP has proven fairly resilient, but everything should be on CCMP-AES at this point.
Just curious, which rates are you running? We disabled 1 and 2 mbit/s everywhere and 5.5mbit/s in one dorm about six months ago for testing. I've thought some about disabling 6mbit/s, 9mbit/s as well across campus. Not planning on touching the MCS rates though Sent from a grassfire using smoke signals ________________________________ From: Jerry Bucklaew<mailto:j...@buffalo.edu> Sent: 3/30/2015 1:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error? We ran into multiple TKIP issues with clients about 2 years ago and disabled all TKIP use at that time. We have around 45k unique clients and they all seem to work fine with TKIP disabled. The other think we did at the same time was drop all the lower speed rates On 03/30/2015 01:29 PM, Dennis Xu wrote: > We have had several tickets opened for this issue. We use mixed AP models > 3702/3602/3502/1142/1131. We allow both WPA/TKIP and WPA2/AES under WLAN. I > don't have details about which APs did clients connect to when the issue > happened. I have asked clients to provide details but no replies. Has anyone > confirmed this was caused by the WPA/TKIP setting? > I searched one client MAC address in Prime Infrastructure and it appears the > client was connected as WPA2/AES. > > Our syslog shows following error for this client: > *Dot1x_NW_MsgTask_2: Mar 24 15:00:15.733: #DOT1X-3-WPA_KEY_MIC_ERR: > 1x_eapkey.c:703 TKIP MIC errors reported in EAPOL key msg from client > 28:cf:da:ee:51:52 > > I opened a case with TAC. TAC required the "debug client" output but I have > not been able to collect that yet. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
