EAPOL-Key Timeout Setting on Cisco WLC – Configuration Guide

ciscowlc

I am getting this error for many clients. I don't think they get disconnected but it's just filling-up my logs:

xtrcca204wm40: *Dot1x_NW_MsgTask_3: Dec 15 17:22:36.045: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:957 Received invalid EAPOL-key M2 msg in START  state - invalid secure bit; KeyLen 40, Key type 1, client cc:3d:82:5d:f5:43

I've read many Cisco posts in regards with this and they recommend changing the EAPOL-Key Timeout to 5000 ms. I'll probably try to play around with the values this Friday, but is increasing (or decreasing) the value will really help? We are using the default of 1000 ms. Thanks.

Best Answer

This error is caused by Windows 7 clients specifically.

Cisco is aware of the problem, but has never fixed the issue on the controller. Since the Cisco bug tool requires access, i've posted the answer as described by Cisco.

In our own setup with 11 to 12.000 clients a day, we get tons of these errors on our WLC 8540.

The bug can be found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh22382

Case description:

Symptom: Windows 7 clients connecting to wireless networks with WPA2 and session timeout may get disconnected during the key exchange after reauthentication.

This is because on the re-keying process the Win7 clients are sending message M2 with what the WLC considers to be a MIC error. "debug client" on the WLC will show messages similar to the following:

*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: 60:67:20:b6:20:f4 EAPOL-key M2 with invalid secure bit (set) received from mobile 60:67:20:b6:20:f4
*Dot1x_NW_MsgTask_0: Apr 01 23:27:38.321: 60:67:20:b6:20:f4 Received EAPOL-key M2 with invalid MIC from mobile 60:67:20:b6:20:f4
*osapiBsnTimer: Apr 01 23:27:39.427: 60:67:20:b6:20:f4 802.1x 'timeoutEvt' Timer expired for station 60:67:20:b6:20:f4 and for message = M2
*dot1xMsgTask: Apr 01 23:27:39.427: 60:67:20:b6:20:f4 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 60:67:20:b6:20:f4

Usually at this point, the WLC will retransmit the M1, and then the second time the client sends its M2, it will not have an invalid MIC, and the key exchange will succeed.

Conditions:Windows 7 Clients connecting to wireless network with WPA2/AES with EAP, and session timeout enabled on the WLAN.

This problem is seen with all client chipsets.

Workaround: Use WPA1 or Disable session timeout.

This problem can be mitigated by reducing the EAPOL key retransmission timeout (e.g. "config advanced eap eapol-key-timeout 300") Do be aware that reducing this value might negatively impact key negotiations with some very old and slow clients.

More Info:How to reproduce:

configure a WLAN with WPA2 + 802.1x (local EAP or RADIUS)
Enable session timeout.
Bring any Windows 7 device.
connect to the wlan, complete authentication..
wait for the session timeout

This bug is marked as Junked because it is a Microsoft, not a Cisco bug.

Best Answer

Related Solutions

Cisco – I’m setting up a Cisco CCNA lab, what equipment would you recommend

Cisco – Can FlexConnect ACLs be combined with Local mode ACLs on the same Cisco WLC WLAN

Related Topic