Solved: I did not have any problem

Diana Karolina Rojas · ‎02-23-2017

Hello!

I have a Cisco 2504 WLC with 5 APs and 3 SSID. I have a problem with some users, the WLC disconnects them constantly and when I see my logs I obtain the next error:

Thu Feb 23 14:31:06 2017 WPA MIC Error counter measure activated on Radio with MAC 00:3a:98:7c:8d:70 and Slot ID 0. Station MAC Address is 74:df:bf:b0:5f:dc and WLAN ID is 3.

and in the users logs I see this kind of logs:

10:29:03, Thu, Feb 23, 17 Successfully joined network with BSSID 00:3a:98:77:c6:12
10:59:14, Thu, Feb 23, 17 Received Deauth from 00:3a:98:77:c6:12 with Reason 1
10:59:14, Thu, Feb 23, 17 Successfully joined network with BSSID 00:3a:98:77:c6:12
11:08:57, Thu, Feb 23, 17 Received Deauth from 00:3a:98:77:c6:12 with Reason 14
11:09:10, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:09:11, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:09:15, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:09:15, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:09:22, Thu, Feb 23, 17 Received Deauth from 00:3a:98:7c:a1:32 with Reason 15
11:09:22, Thu, Feb 23, 17 Potential passphrase mismatch. Please try a different one...
11:10:23, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:10:23, Thu, Feb 23, 17 Searching for networks with ssid Onsite
11:10:27, Thu, Feb 23, 17 Successfully joined network with BSSID 00:3a:98:77:c6:12

Why is this happen? Take into account that the behavior ONLY occur in ONE of the 3 SSIDs, I actually have 4 users and 3 of them have the problem. Thank you for any support you can give me.

Regards,

Sandeep Choudhary · ‎02-24-2017

Hi,

you are using wpa2 with TKIP and its not correct at all.

you need to use either:

WPA+TKIP

or

WPA2+AES

so please change it on your wlan and try again.

Regards

Dont forget to rate helpful posts

View solution in original post

Diana Karolina Rojas · ‎02-23-2017

Sandeep Choudhary · ‎02-24-2017

Please paste the output of the command.

sh wlan <I'd>

Regards

Dont forget to rate helpful posts

Diana Karolina Rojas · ‎02-24-2017

Hello!

Thanks for your responde, the configuration below:

(Cisco Controller) >show wlan 3

WLAN Identifier.................................. 3
Profile Name..................................... Onsite
Network Name (SSID).............................. Onsite
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 5
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ onsite
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled

--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000

--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------

Regards,

Sandeep Choudhary · ‎02-24-2017

Hi,

you are using wpa2 with TKIP and its not correct at all.

you need to use either:

WPA+TKIP

or

WPA2+AES

so please change it on your wlan and try again.

Regards

Dont forget to rate helpful posts

Diana Karolina Rojas · ‎02-24-2017

Thank you a lot!

I will try it, if I get a good behavior I will rate the answer, If not I will write to you for more support.

Thanks,

Diana Karolina Rojas · ‎03-01-2017

I did not have any problem since the change,

Thank you!

Users disconnect constantly