Configuring WPA 287TKIPCountermeasuresWPA access points and clients verify the integrity of a wireless framereceived on the network by generating a keyed message integrity check(MIC). The Michael MIC used with TKIP provides a holddown mechanismto protect the network against tampering. If the recalculated MIC matches the MIC received with the frame, theframe passes the integrity check and the access point or clientprocesses the frame normally. If the recalculated MIC does not match the MIC received with theframe, the frame fails the integrity check. This condition is called aMIC failure. The access point or client discards the frame and alsostarts a 60-second timer. If another MIC failure does not occur within60 seconds, the timer expires. However, if another MIC failure occursbefore the timer expires, the device takes the following actions: A MAP that receives another frame with an invalid MIC ends itssessions with all TKIP and WEP clients by disassociating from theclients. This includes both WPA WEP clients and non-WPA WEPclients. The access point also temporarily shuts down the networkby refusing all association or reassociation requests from TKIP andWEP clients. In addition, MSS generates an SNMP trap thatindicates the WX port and radio that received frames with the twoMIC failures as well as the source and destination MAC addressesin the frames. A client that receives another frame with an invalid MICdisassociates from its access point and does not send or accept anyframes encrypted with TKIP or WEP.The MAP or client refuses to send or receive traffic encrypted withTKIP or WEP for the duration of the countermeasures timer, which is60,000 milliseconds (60 seconds) by default. When thecountermeasures timer expires, the access point allows associationsand reassociations and generates new session keys for them. You canset the countermeasures timer for MAP radios to a value from 0 to60,000 milliseconds (ms). If you specify 0 ms, the radios do not usecountermeasures but instead continue to accept and forwardencrypted traffic following a second MIC failure. However, MSS stillgenerates an SNMP trap to inform you of the MIC failure.The MIC used by CCMP, CBC-MAC, is even stronger than Michael anddoes not require or provide countermeasures. WEP does not use a MIC.Instead, WEP performs a cyclic redundancy check (CRC) on the frame andgenerates an integrity check value (ICV).
