This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Clients can't accociate - TKIP chop-chop attack?

Clients can't accociate - TKIP chop-chop attack?

Christoph
Contributor

‎06-04-2014 05:08 AM

Hello,

one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.

Many APs on different locations are affected.

The traces we took from the APs prior to reboot have the following log messages in common:
Info 05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!

The software version is 8.11.06.0006-1

Are there any security procedures implemente which cause this issue or is it a bug?

0 Kudos
6 REPLIES 6

Volker_Kull
Contributor

‎01-27-2015 02:05 PM

Doug,

we use WPA2+AES in all WLAN services and see a lot of "chop-chop" Errors in the logs.
Is the shutdown caused by this event visible in a logfile ?
Can we disable the 30s radio shutdown function after this Event ?

br
Volker
0 Kudos

Christoph
Contributor

‎06-05-2014 06:22 AM

Thank you Doug, the shutdown of the radio explains some effects.

Kind regards
Christoph

0 Kudos

Doug
Extreme Employee

‎06-04-2014 11:28 PM

In the past I have actually seen electrical interference cause the issue too because the wpa tkip keys were received out of order. It was an ap mounted to close to a florescent light ballast. If It's a hacker running chop chop or a bad client our AP's will defend against it by shutting off its radio for 30 seconds to deter the device from learning the key, this also prevents good users from working as well.

-Doug
Doug Hyde
Director, Technical Support / Extreme Networks
0 Kudos

Christoph
Contributor

‎06-04-2014 12:58 PM

Many thanks for your answers.

We know the security limitations of TKIP. But Actually disabling TKIP is not an option. In future we are going to switch over to WPA2 with AES.

Today we did the update to 8.32.

Yet, I'm interest in how the APs behave in case of an TKIP chop-chop attack. Do you have any information on that?

Kind regards
Christoph

0 Kudos
GTM-P2G8KFN