Filter
Top Products
298 Configuring user encryption
NN47250-500 (320657-F Version 02.01)
TKIP countermeasures
WPA access points and clients verify the integrity of a wireless frame received on the network by generating a keyed
message integrity check (MIC). The Michael MIC used with TKIP provides a holddown mechanism to protect the
network against tampering.
• If the recalculated MIC matches the MIC received with the frame, the frame passes the integrity check and the
access point or client processes the frame normally.
• If the recalculated MIC does not match the MIC received with the frame, the frame fails the integrity check. This
condition is called a MIC failure. The access point or client discards the frame and also starts a 60-second timer. If
another MIC failure does not occur within 60 seconds, the timer expires. However, if another MIC failure occurs
before the timer expires, the device takes the following actions:
● An AP that receives another frame with an invalid MIC ends its sessions with all TKIP and WEP
clients by disassociating from the clients. This includes both WPA WEP clients and non-WPA WEP
clients. The access point also temporarily shuts down the network by refusing all association or
reassociation requests from TKIP and WEP clients. In addition, WSS Software generates an SNMP
trap that indicates the WSS port and radio that received frames with the two MIC failures as well as
the source and destination MAC addresses in the frames.
● A client that receives another frame with an invalid MIC disassociates from its access point and does
not send or accept any frames encrypted with TKIP or WEP.
The AP or client refuses to send or receive traffic encrypted with TKIP or WEP for the duration of the
countermeasures timer, which is 60,000 milliseconds (60 seconds) by default. When the countermeasures
timer expires, the access point allows associations and reassociations and generates new session keys for
them. You can set the countermeasures timer for AP radios to a value from 0 to 60,000 milliseconds (ms).
If you specify 0 ms, the radios do not use countermeasures but instead continue to accept and forward
encrypted traffic following a second MIC failure. However, WSS Software still generates an SNMP trap
to inform you of the MIC failure.
The MIC used by CCMP, CBC-MAC, is even stronger than Michael and does not require or provide countermeasures.
WEP does not use a MIC. Instead, WEP performs a cyclic redundancy check (CRC) on the frame and generates an
integrity check value (ICV).