Open as PDF
Configuring WPA 287
WPA access points and clients verify the integrity of a wireless frame
received on the network by generating a keyed message integrity check
(MIC). The Michael MIC used with TKIP provides a holddown mechanism
to protect the network against tampering.
If the recalculated MIC matches the MIC received with the frame, the
frame passes the integrity check and the access point or client
processes the frame normally.
If the recalculated MIC does not match the MIC received with the
frame, the frame fails the integrity check. This condition is called a
MIC failure. The access point or client discards the frame and also
starts a 60-second timer. If another MIC failure does not occur within
60 seconds, the timer expires. However, if another MIC failure occurs
before the timer expires, the device takes the following actions:
A MAP that receives another frame with an invalid MIC ends its
sessions with all TKIP and WEP clients by disassociating from the
clients. This includes both WPA WEP clients and non-WPA WEP
clients. The access point also temporarily shuts down the network
by refusing all association or reassociation requests from TKIP and
WEP clients. In addition, MSS generates an SNMP trap that
indicates the WX port and radio that received frames with the two
MIC failures as well as the source and destination MAC addresses
in the frames.
A client that receives another frame with an invalid MIC
disassociates from its access point and does not send or accept any
frames encrypted with TKIP or WEP.
The MAP or client refuses to send or receive traffic encrypted with
TKIP or WEP for the duration of the countermeasures timer, which is
60,000 milliseconds (60 seconds) by default. When the
countermeasures timer expires, the access point allows associations
and reassociations and generates new session keys for them. You can
set the countermeasures timer for MAP radios to a value from 0 to
60,000 milliseconds (ms). If you specify 0 ms, the radios do not use
countermeasures but instead continue to accept and forward
encrypted traffic following a second MIC failure. However, MSS still
generates an SNMP trap to inform you of the MIC failure.
The MIC used by CCMP, CBC-MAC, is even stronger than Michael and
does not require or provide countermeasures. WEP does not use a MIC.
Instead, WEP performs a cyclic redundancy check (CRC) on the frame and
generates an integrity check value (ICV).