TKIP Countermeasure caught in the wild!
Saturday, May 15, 2010 at 9:27AM
George in cwsp, tkip, tkip countermeasure, wifi hacking, wifi security


I want to share an event you may not see very often in the wild, TKIP countermeasure. 

What is a TKIP countermeasure and why is it important?
By deafult, Cisco WLCs and autonomous access points will suspend all TKIP traffic on a radio / ssid if a client sends 2 bad MICs in a 60 second period for a duration of  60 second. This is a measure that prevents the spoofing of frames by hackers.
Fully authorized wireless clients can occasionally send a bad MIC(s). In fact, a colleague of mine once had a bad wireless NIC that was notorious for throwing bad MICs. His machine was a walking "DoS" attack of sorts. LOL

The TKIP countermeasure is a configurable variable by SSID and can be disabled. I blogged about this in December of last year. The commands for both the WLC and Autonomous are below:

Autonomous -

So what happen?

I was simply reviewing logs in WCS when an alert popped up. Once I seen 'MIC' in the header I thought right away, is this a TKIP countermeasure event and sure enough. I've since monitored the device to insure it wasnt a problem child.
NOTE: Cisco recommends to disabled TKIP Countermeasure on all Voice SSIDs.
Article originally appeared on (
See website for complete article licensing information.