I want to share an event you may not see very often in the wild, TKIP countermeasure.
What is a TKIP countermeasure and why is it important?
By deafult, Cisco WLCs and autonomous access points will suspend all TKIP traffic on a radio / ssid if a client sends 2 bad MICs in a 60 second period for a duration of 60 second. This is a measure that prevents the spoofing of frames by hackers.
Fully authorized wireless clients can occasionally send a bad MIC(s). In fact, a colleague of mine once had a bad wireless NIC that was notorious for throwing bad MICs. His machine was a walking "DoS" attack of sorts. LOL
The TKIP countermeasure is a configurable variable by SSID and can be disabled. I blogged about this in December of last year. The commands for both the WLC and Autonomous are below:
So what happen?
I was simply reviewing logs in WCS when an alert popped up. Once I seen 'MIC' in the header I thought right away, is this a TKIP countermeasure event and sure enough. I've since monitored the device to insure it wasnt a problem child.
NOTE: Cisco recommends to disabled TKIP Countermeasure on all Voice SSIDs.
Article originally appeared on my80211.com (http://www.my80211.com/).
See website for complete article licensing information.