WPA2\AES and PSK

Similar Messages

• WPA2/AES and WPA/TKIP

  Hi all,
  for compatiility reasons I was used to enable both protocols on all the access points I prepared for customers of mine, both as regards on lightweight ones that standalone,
  Now, as you all know, not only it's not best practice, but on the latest cisco products enabling both aes and tkip on the same ssid brings a lot of troubles.
  I'm educating customers to get rid of old tkip only devices in order to remove it from configurations on wlc's and standalone ap's, but it's not always that easy, customers need time.
  I read that a solution on wlc coud be to create two wlans with same ssid, one aes and the other tkip, but on latest releases seems not allowed to create any ssid with wpa1 only encyption.
  On standalone ap's creating two ssid's on same vlan/interface is not allowed historically.
  Did you find any solution for that?

  In fact the environment it's getting me the worst pain is a recent migration from old 4400 wlc's to a vwlc that started with 8.0.100 release.
  But the issue is also related to ap models, since the whole ap pool was of glorious 1242's no issue at all, only after swapping two 1242's with two brand new 1702's the pain started, and gives pain only in the 1702's coverage area.
  I'm sure your trick works, but in my case it's better to get rid of the 1702's until tkip devices disappear completely.

• 802.1x errors from client in WLAN with WPA2 and PSK

  Hello,
  I have been doing a client troubleshooting and I have got some errors that does not have so much sense for me:
  1)
  Time :03/15/2011 14:49:54 CET Severity :ERROR Controller IP :10.x.x.x Message :802.1x authentication message received, static dynamic wep supported.
  2)
  Time :03/15/2011 14:49:54 CET Severity :INFO Controller IP :10.x.x.x Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
  The WLAN is configured with WPA2 with AES and PSK, and during the troubleshooting several roamings have happened.
  Do you have any idea why they can be produced?
  I attach the complete log.
  Thank you in advanced.

  Sounds like the clients are doing WPA with TKIP for the message number 2 for example ?

• EAP-PEAP, CCKM & WPA2 AES

  Hi Guys,
  Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
  There appears to multiple conflicting docs about it.
  Cheers,
  Nick

  Hi Nick,
  1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
  2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
  3. WPA with cckm works perfectly (as cisco recommanded)
  Regards
  Dont forget to rate helpful posts

• 1240AG WPA2 and PSK for non radius clients

  does this device support this options?
  We want to move to WPA2 enterprise and use our radius server (windows IAS), but we want to hand out a key to non domain computers. We have production machines that arent on the domain for various reasons.
  2nd question, does the AP allow for creating a 2nd "Guest" wireless for visitors?
  thanks!

  Hi Shayne,
  The Cisco 1240 supports WPA2/AES.Yes, the can provide different security policys via different SSIDs. For example:
  SSID#1 - Corporate - WPA2/AES 802.1X
  SSID#2 - CorporatePSK - WPA2/AES PSK
  SSID#3 - Guest
  There is a good deal of configuration to make this happen. But yes this is supported..
  Here is a link how to configure SSIDs on a autonomous access points
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37ssid.html
  Please be so kind to rate helpful post!

• WPA2-EAP and WPA2-PSK supported Access Points

  Dear Team,
  I have been looking to find the Cisco Access Points that support both:
  WPA2-EAP: Encryption: AES, Authentication: IEEE 802.1X
  WPA2-PSK: Encryption: AES, Authentication: PSK (Pre Shared Key) with more than 21 Characters, combined with MAC address filtering.
  I am confused about this and need help, please advise.
  Regards,
  Farhan

  Sure.  Go HERE.  Click on the APs you want and go to their individual Data Sheets.  Use Ctrl+F and enter "WPA2" (or whatever features you want).

• Frequent disconnect using peap wpa2 with aes and tkip

  I got frequent disconnect for the users on wireless using peap wpa2 with aes and tkip.
  My network is setup with :
  -Wireless controller 4404
  -ACS 4.0
  -28 access point 1131g
  -Peap authentication with active directory windows 2003
  -windows xp - mschap2 with aes- tkip
  when i check only aes on the wireless controller 4404 the network user are able work in a stable condition

  This might similar to the bug where Wireless phones dont associate if WPA2 is configured with both AES/TKIP. In this case try to upgrade the controller.

• WPA-TKIP WPA2-AES Connection speed

  Hi,
  My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
  802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
  Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
  Thanks,
  Burhan,

  TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
  AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
  The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
  In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
  While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
  WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
  In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
  In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!

• WPA2-AES with Certifiacte authentication in WLC

  Hello,
  I have currently setup with 1200 series AP's as a Stand alone, the authentication is done via radius  with Certiface Installed in Client Domain Laptops (WPA2 + AES). The certificate is installed on the domain laptops and when I connect wireless it shows up as WPA2 (Peap). As we migrating to WLAN Controller we unable to authenticate the client with WPA2 AES. In controller if we enable PSK ( Preshared key) its works fine. with 802.1x the authentication not happening and I am getting the error as RADIUS is not responding. But we dont have a control with RADIUS which is in Remote Site. Can some one guide me in RADIUS what needs to check, and with IOS AP its works fine.
  Thanks in Advance

  You will need to have access to your RADIUS server to set up your controller to support PEAp, its not as simple as upgrading the aps and adding a controller as the controller will need adding as a client to the RADIUS server as a client and depending on your remote access policies adding into the RAS policy. You will need to liaise with the RADIUS support team

• WPA2 Aes encryption on cisco 1121G AP

  hi
  i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
  i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
  is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
  i have attached my config and have removed some personal data.
  many thanks
  rogier

  i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
  i guess windows xp is a bit smarter than i originally thought

• How do I set my E3000 to WPA2 AES?

  On the cisco connect (192.168.1.1) page, where can I change the encryption scheme to WPA2-AES?
  Solved!
  Go to Solution.

  WPA2 Personal uses AES only.
  WPA Personal uses TKIP only.
  WPA2/WPA Personal Mixed Mode uses both.
  For best security and performance use WPA2 Personal only.

• Accept Certificate when connecting to an SSID with WPA2-AES encryption.

  When I try to Connect my Iphone to an SSID with WPA2-AES encryption,i need to accept the certificate and gets authenticated.When i switchover to different SSID and reconnect again to the same WPA2-AES SSID i do not get the Certificate accept page.
  When i click on the Forget Network and deisconnect from the SSID and re-connect again,i will be prompted to acept the certificate.Is this a normal behavior in Iphone.
  Any suggestions would be greatly appreciated.
  Thanks and regards,
  Sendhil Balakrishnan

  Hi
  with the config i have i seem to be able to login using either tkip or aes, but i don't think i have got mixed mode configured on the AP so it should only accept WPA2-AES encryption but it also accepts TKIP making me believe something is configured incorrectly.
  should i change anything in the config on the AP to only allow WPA2-AES encryption?
  many thanks
  rogier

• WLC-4404. WPA2 - AES (L2) - Microsoft IAS- unable to authenticate

  Hi am upgrading from EAP - TLS with WEP to WPA2 - AES with smartcard / machine certificates. AAA server is Microsoft IAS. New SSID and config for WPA2 looks straightforward.
  Created new policy for this SSID on IAS, again looks straightforward. Unable to authenticate, debug on WLC looks as though not all server to client transactions are taking place , no EAPOL messages etc.
  Any ideas?

  This mostly occurs due to incompatibility on the client side. Try these steps in order to fix this issue:
  Check if the client is Wi-Fi certified for WPA2 and check the configuration of the client for WPA2.
  Check the data sheet in order to see if the client Utility supports WPA2. Install any patch released by the vendor to support WPA2. If you use Windows Utility, make sure that you have installed the WPA2 patch from Microsoft in order to support WPA2.
  Upgrade the client's Driver and Firmware.
  Turn off Aironet extensions on the WLAN.

• Palm Pre & WPA2 AES Wireless Networks

  I have a palm pre that I'd like to connect to a campus network that uses WPA2 AES encyption. I have the certificate required for this network already installed on the pre. However, when attempting to login to the network, it does not use the certificate and asks for a username/password. Of course, the logins will not work. Any workaround or is this just not supported?
  Post relates to: Pre p100eww (Sprint)

  Have you tried putting your domain name before the username, i.e. <DOMAIN>\<USERNAME>? e.g.
  Username: School\John Doe
  Password: **********
  If you network is not hidden, you don't even need to specify the security setting. I think it does it automatically when I select a network from the list, at least for me. Good luck!

• Does 7921 support WPA2+AES+PKC?

  Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
  Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
  VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

  Ok first off the 7921G and 7925G are WPA/WPA2 certified.
  7921G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
  7925G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
  The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
  As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
  There is a statement there in regards to WPA2+CCKM on page 10.
  Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
  But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
  roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
  key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
  TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.