Cisco responds to WPA2-Enterprise issues
UPDATE: Both Microsoft and Cisco now have an official knowledge base article available for this issue:
UPDATE: Detailed steps to resolve for:
- Broadcom Wireless-N (detailed with pictures, process is the same for other chipsets)
- Option GTM67x (Atheros chipset)
I've blogged a couple of times before on issues me and a number of colleagues have been having with out network adapters and the Cisco Access Points that are installed in the office building I normally work. The issue comes from the fact that Cisco's products are using a draft version of the 802.11w standard. Windows 8 uses the final 802.11w version. And the two don't negotiate this correctly.
Cisco has a bug that tracks this issue and a patch has been released for a number of Access Points (version 7.0 and 7.3 have been patched. 7.2 is forthcoming). Cisco explained that they will be releasing an update for their version of the firmware in 2013Q1; that will support the final 802.11w standard.
I wanted to pre-advise colleagues in advance of a formal Field Notice coming out shortly that a serious software bug exists in all Cisco centralised wireless controller versions which support pre-standard Management Frame Protection (MFP) that will render Windows 8 devices completely unable to connect to Cisco APs under centralised control, with no easy workaround.
This will affect every institution on the list using Cisco centralised wireless so I hope the non-Cisco colleagues won't mind this broadcast as it's quite important to avoid clients starting to pop up that can't connect for no apparent reason. Cisco has asked every employee, every partner and every other contractor we have a relationship with to proactively reach out to our/their customers to advise of this problem - so you might hear this twice or more from various contacts / lists / sources over the coming weeks.
Problem: Microsoft Windows 8, to be released on October 26th, is among the first clients to support IEEE 802.11w natively in the OS. Clients running 802.11w fail to connect to Cisco's MFP capable APs because of interoperability issues in the service capability negotiation. It is /not/ possible to address this by simply disabling MFP on the Cisco Infrastructure, and Microsoft confirm that Windows 8 does not provide any way (e.g., RegKey, Group Policy) to turn off 802.11w as it is considered a positive feature to always have turned on for security purposes. The Cisco bug ID tracking this is CSCua29504.
Solution: The only two solutions are:
- Update the Controller code to a fixed version.
- Downgrade to a pre-Windows 8 wireless NIC driver on the client device - where that option is available - as 802.11w is NIC driver and/or supplicant dependant. The only allowance Windows 8 makes is to not enforce 802.11w on pre-Windows 8 driver sets which will not work with most vendors' NICs otherwise. Clearly, the support implications of advising end users to do this will not scale, will not work indefinitely, and Cisco is not relying on this option as any kind of sustainable or permanent workaround.*
The plan is to patch the bug so that Windows 8 and other 802.11w capable clients can connect to Cisco infrastructure on the 7.0 code train (Early September), 7.2 code train (Late September) and 7.3 first release code train (Available by the end of August).
This fix does not implement 802.11w but instead ensures that the communication from 802.11w enabled clients is interpreted correctly by the Access Point. There are no plans to patch this on the 5.0, 5.1, 5.2, 6.0 and 7.1 code-trains which have passed their End of Software Maintenance (EoSM) or End of Life (EoL) dates, and so 7.0 is the minimum release to move to if still running <=7.0 and needing the fix; and 7.2 if running 7.1. This issue does not affect version 4.2 and previous.
Finally, the IEEE standard version of MFP - 802.11w (called Protected Management Frames - PMF) - will be supported in 7.4 (early Q1 2013).
For now, I would advise scheduling a software upgrade window on your Cisco controllers ready for when the fixed code versions are released (if not wishing, or not able due to controller model, to adopt 7.3 soon). This will avoid a flurry of user support cases coming in the day they start arriving on campus with Windows 8 devices on or soon after launch. The route to obtain the fixed software versions is via your normal support channel.
It goes without saying that this is a deeply unfortunate situation to have arisen, but I hope you won't shoot the messenger! :-) As bugs go this is right up there as quite a stunner. I expect to be quite busy over the next few months across Public Sector as this ripples out to customers who have not been reachable in advance for whatever reason.
Please feel free to share this as widely as possible with any colleagues or other institutions you believe would be interested that are not on this list.
Paul A. Hill CCDP, CCNP Wireless, CWNP Inc. CWDP & CWSP
Head of Wireless Technologies, Public Sector UK
Cisco Systems Ltd. E-mail: email@example.com
10 New Square Direct Tel: +44 (0)20 8824 8534
Bedfont Lakes Direct Fax: +44 (0)20 7900 2337
Feltham Mobile *: As Direct Telephone
Middlesex Main Tel: +44 (0)20 8824 1000
TW14 8HA Main Fax: +44 (0)20 8824 1001
United Kingdom Voicemail: 844 48534
* Single Number Reach rings all of my contact devices simultaneously.
Cisco Systems Limited (Company Number: 02558939), is registered in England and Wales with its registered office at 1 Callaghan Square, Cardiff, South Glamorgan CF10 5BT.