Clients can't accociate - TKIP chop-chop attack?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-04-2014 05:08 AM
Hello,
one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.
Many APs on different locations are affected.
The traces we took from the APs prior to reboot have the following log messages in common:
Info 05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!
The software version is 8.11.06.0006-1
Are there any security procedures implemente which cause this issue or is it a bug?
one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.
Many APs on different locations are affected.
The traces we took from the APs prior to reboot have the following log messages in common:
Info 05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!
The software version is 8.11.06.0006-1
Are there any security procedures implemente which cause this issue or is it a bug?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-04-2014 10:05 AM
Hello,
The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html
There is a potential of false positives with clients that are having issues, these are usually driver related.
-Doug
The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html
There is a potential of false positives with clients that are having issues, these are usually driver related.
-Doug
Doug Hyde
Director, Technical Support / Extreme Networks
Director, Technical Support / Extreme Networks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-04-2014 10:05 AM
Good security recommendation, Doug. If no devices require TKIP moving to AES only is a good choice.
If I remember right some client reconnect issues are fixed in newer firmware releases. The 8.11.06.x firmware is really not up to date. I would recommend you to update the firmware to version 8.21.x or 8.32.x. T
he 8.21.x tree is really stable (my experience in several customer installations).
If I remember right some client reconnect issues are fixed in newer firmware releases. The 8.11.06.x firmware is really not up to date. I would recommend you to update the firmware to version 8.21.x or 8.32.x. T
he 8.21.x tree is really stable (my experience in several customer installations).
