WPA2/AES and WPA/TKIP

Hi all,
for compatiility reasons I was used to enable both protocols on all the access points I prepared for customers of mine, both as regards on lightweight ones that standalone,
Now, as you all know, not only it's not best practice, but on the latest cisco products enabling both aes and tkip on the same ssid brings a lot of troubles.
I'm educating customers to get rid of old tkip only devices in order to remove it from configurations on wlc's and standalone ap's, but it's not always that easy, customers need time.
I read that a solution on wlc coud be to create two wlans with same ssid, one aes and the other tkip, but on latest releases seems not allowed to create any ssid with wpa1 only encyption.
On standalone ap's creating two ssid's on same vlan/interface is not allowed historically.
Did you find any solution for that?

In fact the environment it's getting me the worst pain is a recent migration from old 4400 wlc's to a vwlc that started with 8.0.100 release.
But the issue is also related to ap models, since the whole ap pool was of glorious 1242's no issue at all, only after swapping two 1242's with two brand new 1702's the pain started, and gives pain only in the 1702's coverage area.
I'm sure your trick works, but in my case it's better to get rid of the 1702's until tkip devices disappear completely.

Similar Messages

  • Newbie adding Comcast wireless: WPA2-PSK (AES) or WPA-TKIP?

    I have an old (but still great!) 1.25 GHz PowerPC G4, runnig Mac OS X 10.5.8.  I also have a 3G iPhone (iOS 4.2.1).  (Both are the most current OS for those devices.)   In the next 6 months I'll be upgrading both of these devices, but I need to install my router now, with the older equipment/software.
    I am very, very new to wireless technology, so I am aware I know nothing about this.  I find that the support at Comcast isn't very Mac-savvy (especially working with my older device).
    I have a new "Gateway" ARRIS modem/router to set up.  My questions:
    1 -- Encryption Method - do I choose WPA2-PSK (AES) or WPA-TKIP?
    2 -- Are there any settings on my Mac (or iPhone) that I need to know about, in order to be sure the wireless network functions properly and securely?
    My thanks to all of you!

    1. At the noment your G4 isn't capable of running  WPA, the only thing you can run is WEP, but change that as soon as you get your new Mac.
    2. You ned to go to Settings>wi-fi and enter the details of your setup, name, password, smtp etc etc.

  • WPA2\AES and PSK

    We have a situation that we need to implement WPA2, AES with PSK on our WLC. If I put a complex passphrase of 63 ASCI characters, how safe is my wireless network? After reading multiple forums, it seems that is quite safe, even if this setup is design for a home or medium office.
    Your feedback is very much appreciated.
    Thank you.

    As far as the security algorithm itself is concerned, a very long, random PSK is extremely secure.
    However, there are human factor issues that come into play: that long PSK has to be written down somewhere and that location must be kept secure; the number of people who have access to the key must be limited and all of them must carefully maintain the security of the key; if the key is compromised you must manually change the keys on all clients; etc.
    Another issue is that with a PSK you have no way to map a given wireless connection to any individual user, as you would with 802.1X. So if an EAP account is compromised you at least know who to yell at, whereas if your key is compromised you have no clue.
    Nobody's going to crack a 63-character passphrase using over-the-air tools. But they won't bother. They'll just find a way to get into your helpdesk office and take a picture of the whiteboard where it's written down.

  • WPA-TKIP WPA2-AES Connection speed

    Hi,
    My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
    802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
    Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
    Thanks,
    Burhan,

    TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
    AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
    The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
    In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
    While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
    WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
    In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
    In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!

  • Difference Between Layer 2 Security and WPA & WPA2 Parameters

    Hello Everyone, thank you everyone to read me again.
    I have one questions about security WLAN configuration. I created one SSID when I configured the tab security I see this:
    I'm not an expert how you can see but I thought that when you use WPA + WPA2 you will use an PSK to join the network.
    I see I can use 802.1X in layer 2 security.
    I don't really understand what the difference betwen this options. I mean if  I use 802.1X for layer 2 security I need to stablish a WEP KEY?
    IF I use a WPA +WPA2 for layer 2 security and 802.1X for Auth Key Managment I need to use a Radius?
    Exist any documentation about this options?

    Look at it this way.
    WPA+TKIP
    Uses pre shared key and is not supported by 802.11n
    WPA2+AES
    Also uses pre shared key and is supported by 802.11n
    WPA+TKIP or WPA2+AES and 802.1x
    Requires a radius server or the use of LDAP
    Also requires a certificate
    Server side certificate for PEAP and a server and client side certificate for EAP-TLS.
    You also want to only use either WPA/TKIP or WPA2/AES, not both and don't mix and match.
    Sent from Cisco Technical Support iPhone App

  • WPA2 Aes encryption on cisco 1121G AP

    hi
    i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
    i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
    is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
    i have attached my config and have removed some personal data.
    many thanks
    rogier

    i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
    i guess windows xp is a bit smarter than i originally thought

  • EAP-PEAP, CCKM & WPA2 AES

    Hi Guys,
    Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
    There appears to multiple conflicting docs about it.
    Cheers,
    Nick

    Hi Nick,
    1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
    2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
    3. WPA with cckm works perfectly (as cisco recommanded)
    Regards
    Dont forget to rate helpful posts

  • EA6500 support for Wi-Fi devices on WPA (TKIP)

    Although EA6500 states support for WPA devices it appears that some B devices (like HP Wi-Fi printer PSC 2510) are not supported. The lack of support seems due to the lack of WPA with TKIP encryption, only the newer EAS encryption appears to be available.

    pompekw,
    You should consider cascading your WRT54G to a new router. That way you can keep your legacy devices.
    I have legacy devices too. And that's what I do. If your WRT54G is broken, you can pick up a refurb wireless router that supports WEP and WPA TKIP and B/G for $20. And then you just cascade it to your new router. Use Lan-to-Lan cascade (or bridge mode instructions depending on whether or not the secondary router supports bridge mode). If your WRT54G still works, you can use it as the secondary router (which is what I do).
    Cascade link
    http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=3733
    Fix #3 in the article below explains it better than I can.
    http://www.smallnetbuilder.com/wireless/wireless-basics/30664-5-ways-to-fix-slow-80211n-speed
    http://www.metageek.net/products/inssider/

  • IPad WiFi works only with WPA/TKIP, not WPA2/AES

    My iPad (like so many others) stopped connecting to my Linksys WRT54G router (which like everyone else's connects fine with every other device, including non-iOS 4 iPhones). The whole reset/restart/restore dance with the iPad/router/cable modem was performed to no avail. By sheer desperation, security protocols were changed, and that's what finally worked.
    The protocol to the rescue was WPA/TKIP, curiously enough. (When security is completely disabled ("Open"), the iPad also connects, perhaps expectedly.) The culprit is WPA2/AES (even AES+TKIP). Any iteration of WPA2/AES ends up blocking the iPad from getting the appropriate IP address via DHCP. Once I changed to WPA/TKIP, everything's been rock-solid and fast.
    (The only times WPA2/AES worked was when the iPad was first used for a couple days, and a couple days after switching back to WPA2/AES when it started working with WPA/TKIP. Since then, switching back to WPA2/AES no longer works, even temporarily.)
    Any idea why initially WPA2/AES worked, and then suddenly stopped?

    Ralph Landry1 wrote:
    That is a very interesting question ... [involving] the combination of the router and the iPad and their respective implementations of the AES encryption algorithm. The AES algorithm is considerably more complex than TKIP. Why some have problems and not others has to be related to the router and its implementation and the Apple implementation.... t works fine for me connecting with [both] a Verizon FiOS (Actiontec) router [a]nd ... an AirPort Extreme. But there have been a number of posts recently about problems with Linksys and Belkin connectivity.
    Tell me about it. I'd been pulling my hair out prior to "discovering (by accident," as George Costanza would say) that WPA/TKIP fixed the problem, and seems to be working fine and fast. Now I'm just academically frustrated (better than actually frustrated) wondering why WPA2/AES is so problematic +with this particular trifecta+ (my iPad, my Linksys router, and WPA2/AES).
    Bottom line is there is probably not an easy solution ... and since you do have a strong security protocol that works, keep using it. Very strange that there would be a change in connectivity after a few months, though. Old engineering philosophy, if it ain't broke, don't fix it. If you have something that works, stick with it for now.
    Actually, WPA2/AES worked on two (short but notable) occasions:
    a) for two days when I first unpacked the iPad, and
    b) for two days when I switched back to WPA2/AES upon discovering WPA/TKIP fixed the issue.
    So it wasn't two months, which makes more sense. I agree with you that I'm not touching this arrangement for now. What I did have to do was change over the other devices (PCs, Wii's, TiVo's) that didn't automatically adjust over to WPA/TKIP. (To its credit, the iPhone did that on the fly.) Going through each device hurt a little, knowing I was using a less-than-optimal protocol for just one cranky device at expense of every other one--but of course I'd rather everything play nice than be necessarily cutting edge. (It's not like I'm the Pentagon or anything here.)
    But also give feedback to Apple:
    http://www.apple.com/feedback/ipad.html
    Done and done. And thanks for a great and reassuring explanation.
    Message was edited by: TashTish

  • Frequent disconnect using peap wpa2 with aes and tkip

    I got frequent disconnect for the users on wireless using peap wpa2 with aes and tkip.
    My network is setup with :
    -Wireless controller 4404
    -ACS 4.0
    -28 access point 1131g
    -Peap authentication with active directory windows 2003
    -windows xp - mschap2 with aes- tkip
    when i check only aes on the wireless controller 4404 the network user are able work in a stable condition

    This might similar to the bug where Wireless phones dont associate if WPA2 is configured with both AES/TKIP. In this case try to upgrade the controller.

  • How do I set my E3000 to WPA2 AES?

    On the cisco connect (192.168.1.1) page, where can I change the encryption scheme to WPA2-AES?
    Solved!
    Go to Solution.

    WPA2 Personal uses AES only.
    WPA Personal uses TKIP only.
    WPA2/WPA Personal Mixed Mode uses both.
    For best security and performance use WPA2 Personal only.

  • Issue getting Motorola 9060G scanner to work with 5508 WPA-TKIP

    All,
    We have a new 5508 controller that we are trying to get setup to use our Motorola 9060G handheld scanners. This device uses WPA-TKIP and has been working with a Symbol controller without issue. I need to retire this controller so started re-creating the SSID on the Cisco controller. I am having issues getting the scanner to connect with the new SSID. It looks like everything works fine with no security but once I start to enable WPA+WAP2 I get no connectivity. Laptops work fine just not the handheld. I have tried every combination I can think of for AES and TKIP under the WPA and WPA2 policies. I have also gone through the Cisco Best Practices guide for Motorola/Symbol Wireless Handheld Scanners and so far unless I have no security I cannot get things to work properly. I tried doing a debug client to see what or how the two are talking but I can only get results with security set to open. Just looking for other suggestions as to something that I might be missing. My controller is running 7.6.100
    Thanks ...
    Brent Berry

    We have a new 5508 controller that we are trying to get setup to use our Motorola 9060G handheld scanners. This device uses WPA-TKIP and has been working with a Symbol controller without issue. I need to retire this controller so started re-creating the SSID on the Cisco controller.
    Just be aware that the Wi-Fi Alliance has scheduled the "elimination" of TKIP.  What you are about to do is a "temporary" solution.  You can get the scanner to work now because you are using WLC firmwares that still support TKIP.  However, if (in the future) you need to upgrade your controller's firmware to support newer wireless access points, your scanners may not work any more.  
    Read HERE.

  • Does 7921 support WPA2+AES+PKC?

    Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
    Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
    VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

    Ok first off the 7921G and 7925G are WPA/WPA2 certified.
    7921G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
    7925G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
    The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
    As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
    There is a statement there in regards to WPA2+CCKM on page 10.
    Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
    But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
    Cisco Centralized Key Management (CCKM)
    When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
    roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
    key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
    TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

  • Airport Linksys WRT54GX4 WPA TKIP problem-Driving me Crazy!

    HELP! Anyone, My Boss bought a new Linksys Router WRT54GX4 and I cannot connect to it through my ibook. The old one(old router) was damaged and I was able to connect to it fine before it was broken. But the new one uses the WPA TKIP encryption, and my ibook cannot connect to it, it sees the network name and gives me severl WEP coices to connect to but no go. the Actual Network is the WPA TKIP, but I have tried severl different combination to connect to it and still nothing. I have tried the passphrase in uppercase and lowercase and nada. But most other PC's have no problem connecting except for my ibook. It sees other hotspots and connects fine. Any Help would be appreciated. Thanks!
    I have a 12" iBook 800 Dual USB 32 MB Vram, 640 RAM and Orig Airport Card.

    The linksys wrt54gx4 is not quite the same series as the earlier wrt54g routers. The new wrt54gx uses different firmware altogether. This router uses a new technology and employs 3 antenna's where as the earlier wrt54g's had 2 antennas.
    It may be that this new technology is not working so well with apple airport cards as I have found the new linksys routers that have 3 antennas to be buggy. I have returned one to a reseller already.
    In the wireless security settings of the wrt54gx4 it is possible to have wpa selected but not enabled.
    I am not sure if the older airport cards support wpa2. I do know that the latest version airport does support wpa2. But for now try enabling wpa and disabling wpa2 on the linksys box as per this screen shot.
    I will be switching to buffalo wifi routers as these new linksys boxes are
    a) buggy
    b) don't support linux

  • Connect to WPA2-AES network

    Hello,
    I don't manage to connect my MBP to a WPA2 network with AES encryption which needs also protected EAP. In fact I don't even find an option about the encryption mode under Leopard.
    If anyone has an idea about what steps I should try I would be very grateful.
    Thank you in advance

    I think your problem is using the "enterprise" login setting. Try using just WPA2 Personal or WPA Personal (NOT enterprise) when logging in wirelessly. Then just type in the passphrase and it should work.

Maybe you are looking for