AP541N giving "Michael MIC integrity failure" errors in log

mattparlane · ‎01-07-2014

Hi all...

My company has an AP541N and it was working fine for about six months, but now roughly once or twice a week it just stops working and needs to be restarted.

Whenever this happens, there are some log messages that look like they relate to the problem. It could be coincidence, but I'm fairly sure they are directly related to, if not the cause of, the issue. Here are the log messages:

Jan 8 12:35:12 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Michael MIC integrity failure detected

Jan 8 12:35:12 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Reported Michael MIC failure

Jan 8 12:35:11 info hostapd The wireless client with MAC address ec:1a:59:8a:b6:c0 has been successfully authenticated.

Jan 8 12:35:11 info hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: pairwise key exchange completed (WPAv2)

Jan 8 12:35:11 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Michael MIC integrity failure detected

Jan 8 12:35:11 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Reported Michael MIC failure

Strangely enough, it's always the same MAC address. I've tried adding that address to the block list under MAC filtering but that hasn't changed anything.

I've tried to find that device but haven't been able to, it might be someone's phone and I can't figure out how to get the MAC address of some of the phones in the office.

Any ideas?

Thanks,

Matt

Eric Moyers · ‎01-08-2014

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forum and thanks for a great question.

WPA implements the message integrity code (MIC), often referred to as "Michael," to guard against forgery attacks.

For authentication, WPA uses a combination of open system and 802.1x authentication. Initially, the wireless client authenticates with the access points, which authorizes the client to send frames to the access point. Next, WPA performs user-level authentication with 802.1x. WPA Interfaces to an authentication server, such as RADIUS or LDAP, in an enterprise environment. WPA is also capable of operating in what's known as "pre-shared key mode" if no external authentication server is available, such as in homes and small offices.

An issue that WPA does not fix yet is potential denial of service (DoS) attacks. If someone, such as a hacker or disgruntled employee, sends at least two packets each second using an incorrect encryption key, then the access point will kill all user connections for one minute. This is a defense mechanism meant to thwart unauthorized access to the protected side of the network.

Now what does this actually mean in your case? It most likely does not mean someone is trying to hack into your network to do anything malicious. It could be that someone is just trying to get free wireless or as you said someone's phone just scanning for access. So lets look at the MAC address using one of many free tools.

http://www.coffer.com/mac_find/

Using a MAC Address Lookup tool - I see that anything starting with "ec:1a:59" belongs to Belkin International Inc.

That tells me it is probably not a phone but possible a Laptop or Tablet. 2nd choice (less likely) would be a a Belkin router someone has added to the network.

I would look for a Laptop with a Belkin Wireless USB attached

Not sure of the magnitude of the search and where this is at but you could also compare the times when this starts to the work schedule of employees and see if you see anything.

Thanks

Eric Moyers .:|:.:|:.

Cisco Small Business US STAC Advanced Support Engineer

CCNA, CCNA-Wireless

866-606-1866

Mon - Fri 09:30 - 18:30 (UTC - 05:00)

*Please rate the Post so other will know when an answer has been found.