WPA1- Dissociation Issue

Cisco Aironet 1200 series AP
Dell Laptops (In built Wireless NIC, + Cisco PCMCIA)

Security: WPA -
Auth: PEAP w/ EAP MSCHAP-V2 (802.1x to radius), PKI
Encryp: TKIP, RC4

Hi All,

I'm trying to set up a wireless network, and am encountering a strange problem with TKIP.  Every 20 minutes (or so, the timings appear random) the AP switches its security method to "Open" causing all clients associated with that particular AP, to drop the connection, and connect to a neighbouring AP.  The AP's security method then comes back online, in a matter of seconds, and the connection then reverts back to the original AP, but in the meantime, connection to clients has been lost...

I have tried several different AP's, and am sure there is no RF interference causing the connection to drop out. All the firmware for client cards and AP’s is fully up to date.  This issue occurs even with CISCO AP – CISCO CLIENT, so there doesn’t seem to be any vendor specific-ness involved.

When another encryption method is in use (WPA2).. the above does not occur. Unfortunately, WPA2 is not a viable option due to Microsoft’s unwillingness to allow group policy application!

So... If anyone can shed some light on why the above is happening, or could provide some technical information about TKIP which may explain as to why this is happening, it would be greatly appreciated.

I am not expecting a full answer, therefore I have not applied a large amount of points, to what I believe is a difficult question. If an answer does exceed my expectation (someone has a perfect answer) then I will award more points accordingly.

Thanks a lot in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does it matter what channel or frequency you're using?
FrilAuthor Commented:
sorry for the late response.. I have been away for the last few days...

No, the channel selection doesn't make a difference, we performed an RF survey, and there are no intefering signals...

to clarify, using TKIP/WPA, the Cisco AP changes its authentication method to open for a few miliseconds. The client spots another AP with better security measures, and roams. It then roams back seconds later as its neighbour AP is fully secure again.  If only 1 AP is turned on, the security measures on the AP continue to flick between open and secure, however roaming doesn't occur (well.. as theres nowhere to roam to:)

And again, I am really only expecting some links and technical info on TKIP, as I doubt this is an obvious problem (I hope I'm wrong!)

TKIP has an entire rekeying mechanism, and also does per packet key mixing... which were meant to address major WEP weaknesses. Could be one of those two things that might be messing you up. I don't remember off the top the key management mechanisms of WPA2, even though it obviously uses AES.

Here are some links of what TKIP is:
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

FrilAuthor Commented:
Thanks for your response.  I am aware of how TKIP operates, but I was wondering if there were any technical resources to explain more specifically how it works, as opposed to just explanations on what it is? RFC type documents.. :)

WPA2 / AES is not in use here.
I would suspect a defective AP.  There is NO WAY that an AP setup for WPA should accept ANY open connection EVER!  This is completely unacceptable and leads me to believe that there is a problem in the AP.

You might check if Cisco has updated firmware that solves this problem but if not, you might consider scrapping this thing and getting an AP that doesn't compromise your security.
FrilAuthor Commented:
This has been reproduced with 3 Cisco 1200series APs.

jhance: The open connection does not allow users to connect, the AP switches to open, forcing all users associated to roam to another AP that has adequate security, then switches back (takes milliseconds), but with our auth methods in place, it would not be possible for anyone else to associate anyway...All firmware is the latest available.

I discovered the following, although I don't feel its the problem in this case.. i'm willing to try anything

"If a TKIP implementation detects two failed forgeries in a second, the design assumes it is under active attack. In this case, the station deletes its keys, disassociates, waits for a minute, and then reassociates. While this disrupts communications, it is necessary to thwart active attack."

but I would assume debugging on the AP would have told me this before, plus it happens in milliseconds, not 1 minute... I will be checking this later this week, but I welcome any further suggestions...
Maybe you can do packet sniffing for a period of time and hopefully catch machines trying to associate with your network? I completely forgot about that particular attack.

However, you might then be able to catch the machine that is doing that. Some people do that just to mess around. But yes, that is one of the weakneeses of WPA... they won't necessarily get INTO the network, but they can disable it for a period of time. And of course, since TKIP isn't in WPA2....
Try this for a while: don't allow the network to send out the SSID on one of your APs. It's going to be more annoying for users, but just try it.
FrilAuthor Commented:
I will be performing testing on the AP's tomorrow, and will let you know if either the above work.  I assume that someone is not intentionally attacking the AP, maybe nearby wireless users are unwillingly cutting off the connection.. Air sniffers should find this..

I will keep you informed, and thanks to everyone for the suggestions so far...
FrilAuthor Commented:
Hi Guys,

just to tell you, I've managed to fix this problem.  The issue.......

well, it turns out, i'd been using an SSID with a space, and the Cisco Fat AP's have issues dealing with spaces!!!!!!!!!!

So, changed the SSID to remove the spaces, and ... the connection remains secure, no clients roam...

so thanks for your advice on this matter, and hopefully this post will save someobody as much time as its taken me to fix this!

I think that it would be good to keep this one for reference purposes. Most things like this are bound to happen to someone else too.
PAQed with points refunded (100)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.