WPA2 Aes encryption on cisco 1121G AP

hi
i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
i have attached my config and have removed some personal data.
many thanks
rogier

i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
i guess windows xp is a bit smarter than i originally thought

Similar Messages

  • Accept Certificate when connecting to an SSID with WPA2-AES encryption.

    When I try to Connect my Iphone to an SSID with WPA2-AES encryption,i need to accept the certificate and gets authenticated.When i switchover to different SSID and reconnect again to the same WPA2-AES SSID i do not get the Certificate accept page.
    When i click on the Forget Network and deisconnect from the SSID and re-connect again,i will be prompted to acept the certificate.Is this a normal behavior in Iphone.
    Any suggestions would be greatly appreciated.
    Thanks and regards,
    Sendhil Balakrishnan

    Hi
    with the config i have i seem to be able to login using either tkip or aes, but i don't think i have got mixed mode configured on the AP so it should only accept WPA2-AES encryption but it also accepts TKIP making me believe something is configured incorrectly.
    should i change anything in the config on the AP to only allow WPA2-AES encryption?
    many thanks
    rogier

  • WPA2 AES encryption Key Sizes

    Hi all,
    Just looking at the AES standard, or wiki of it
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
    It mentions that AES supports the following (in the notes just at the bottom of the web page)
    Key sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128, 192, and 256-bit key sizes are specified in the AES standard.
    Block sizes of 128, 160, 192, 224, and 256 bits are supported by the Rijndael algorithm, but only the 128-bit block size is specified in the AES standard.
    What does the WLCs use for an AES key size when you enable a WPA2 policy with AES encryption?
    Many thx
    Ken

    128 bits was supported on the autonomous code, so I'm sure the LWAPP solution also uses 128 bits with three possible key lengths 128, 192 and 256 bits.

  • Cannt connect to WPA2-AES encrypted wifi

    there is no issue with a WEP wifi. i googled this problem and none of them solved my problem. i updated IOS to 6.1.2. i reset my phone. however, it still does not work.
    thanks in advance

    Try http://archpi.dabase.com/#wireless. It worked like a charm for me with RPI2 + http://www.amazon.co.uk/Andoer-Wireless … B008IZQCGK which has the same chipset and it's using kernel module 'rt2x00' https://wireless.wiki.kernel.org/news/2011-07-22. USB ID: 148f:5370.
    Last edited by phedoreanu (2015-04-25 22:35:28)

  • How to config Autonomous AP 1242/1252 the WPA2 and AES encryption

    Hi Guys,
    Do you know how to configure the autonomous AP1242 and AP1252 use new authentication way: WPA2 and encryption as AES to support 11n ?
    right now, our AP only configure the SSID as WH001 as network access.
    dot11 ssid WH001
       authentication open eap ea1
       authentication network-eap ea1
       accounting ac1
    How about the new SSID WH003 (new 11n)
    dot11 ssid WH003
      authenticaion ?
      authentication?
      account?
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode wep mandatory
    encryption mode? 
    ssid WH001
    ssid WH003
    channel 2437

    Well the 1242 doesn't support 802.11n. Here is a link to configure 802.11n on an ap that supports 802.11n like the 1252.
    http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap6-radio.html
    Here is a link that shows how to setup WPA2/AES which is required for 802.11n, besides open authentication.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
    Sent from Cisco Technical Support iPhone App

  • How do I set my E3000 to WPA2 AES?

    On the cisco connect (192.168.1.1) page, where can I change the encryption scheme to WPA2-AES?
    Solved!
    Go to Solution.

    WPA2 Personal uses AES only.
    WPA Personal uses TKIP only.
    WPA2/WPA Personal Mixed Mode uses both.
    For best security and performance use WPA2 Personal only.

  • Does 7921 support WPA2+AES+PKC?

    Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
    Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
    VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

    Ok first off the 7921G and 7925G are WPA/WPA2 certified.
    7921G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
    7925G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
    The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
    As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
    There is a statement there in regards to WPA2+CCKM on page 10.
    Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
    But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
    Cisco Centralized Key Management (CCKM)
    When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
    roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
    key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
    TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

  • Aironet 1252 AES encryption

    Dear all
    I have two cisco airenet 1252 autonamous access point that are configured as  point to point bridge. Now I want to confiure AES encryption or WPA2 using a pre-shared key however I do not see the option to do this . The only option I see under ciphers are:
    wep 128
    wep 40
    TKIP
    CKIP
    CMIC
    CKIP-CMIC
    TKIP+WEP 128
    TKIP+WEP 40
    AES CCMP
    AES CCMP + TKIP
    AES CCMP + TKIP + WEP 128
    AES CCMP + TKIP + WEP 40
    Is it possible to use either AES or WPA2 using a pre-shared key  on the 1252 autonamous access point? If possible please provide instruction preferably using the web interface.
    Regards,
    Screech

    Sure ..
    This is WPA2 Enterprise -- but you will see the PSK commands below
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
    If you dont see these commands tehn you need to update your code.
    - Go to Security > Encryption Manager > Select Cipher > AES CCMP from the drop down menu > Apply
    - Go to Security > SSID Manager > Select (or create) the SSID > Link the SSID to the radio that you want
    - Open authentication should be selected
    - Key Management should be set to Mandatory
    - "Enable WPA" needs to be checked
    - Enter the Pre-Shared Key on the "WPA                                        Pre-shared Key" field.
    - Scroll down and click on the first apply (not the bottom one).
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WPA-TKIP WPA2-AES Connection speed

    Hi,
    My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
    802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
    Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
    Thanks,
    Burhan,

    TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
    AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
    The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
    In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
    While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
    WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
    In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
    In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!

  • Connect to WPA2-AES network

    Hello,
    I don't manage to connect my MBP to a WPA2 network with AES encryption which needs also protected EAP. In fact I don't even find an option about the encryption mode under Leopard.
    If anyone has an idea about what steps I should try I would be very grateful.
    Thank you in advance

    I think your problem is using the "enterprise" login setting. Try using just WPA2 Personal or WPA Personal (NOT enterprise) when logging in wirelessly. Then just type in the passphrase and it should work.

  • EAP-PEAP, CCKM & WPA2 AES

    Hi Guys,
    Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
    There appears to multiple conflicting docs about it.
    Cheers,
    Nick

    Hi Nick,
    1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
    2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
    3. WPA with cckm works perfectly (as cisco recommanded)
    Regards
    Dont forget to rate helpful posts

  • AES Encryption No Longer Working

    Last week we had users complaining that they could no longer connect to wireless.  They were receiving a limited or no connectivity message.  Upon researching the issue, I found that if I removed the AES encryption, from WPA2, users were able to connect again with TKIP.  In speaking to a few admins, they stated that TKIP was the preferred method that was chosen years ago.  My first question is this.....In our WLAN's, we had the options for WPA/TKIP-AES, and WPA2/TKIP-AES.  I'm assuming this would allow the PC to use whichever encryption method was preferred.  However, this doesn't seem to be the case.  The PC chose AES, which caused the issue that they were having.  Would this be something PC based?   I'm assuming the controller only gives the ability.  It won't actually dictate which encryption method is used, unless one of the options is turned off (like we did with AES).  My second question is this....TKIP, being a weaker encryption method, isn't what I want our users using.  How could I migrate to AES?  Are there specific instructions to move from TKIP to AES?  Is it more than just putting a check mark on the AES options, under WLAN security?  Thanks for any help!

    Its best to only use either WPA/TKIP or WPA2/AES, not both or a mix of either.  This does cause issues with devices so its hit or miss.  If you had configured everything for WPA2/TKIP, well... your stuck with a non standard IEEE setting, and you will have to just configure that on the WLC.  It's the same if you were using WPA/AES.  
    The best way to move to a standard, is if your devices were domain machines and you can push out a GPO.  Non domain machines, you would need to manually enter those unless you had a tool that manages them.

  • Enable AES encryption on 1310 Wireless bridge

         Hi All,
        I have requirment to enable the AES encryption on the management VLAN  traffic  between connected root and non root bridges . can any one share the configuration guidelines please ??
    below is the network setup  .
    Router<---->SW1 ( main office)--> Root-bridge < ---------->non root-bride------SW2 ( remote end site)
    Apart from the specific configuration on the wireless bridge is any extra configuration required on the Switch interfaces??
    Regards
    Lerner

    Hello,
    1. Make sure you are running version 12.3(7)JA or later since WPA2/AES was not always available for the 1310.
    2. How do you currently have the root/non-root configured?
    Ideally, adding AES shoudl be fairly straight forward.  Keep in mind we recommend using WPA2 with AES.
    configured on your root AND non-root:
    dot11 ssid
    authentication open
    authentication key-management wpa version 2
    interface do1
    encryption mode ciphers aes-ccm

  • IPad WiFi works only with WPA/TKIP, not WPA2/AES

    My iPad (like so many others) stopped connecting to my Linksys WRT54G router (which like everyone else's connects fine with every other device, including non-iOS 4 iPhones). The whole reset/restart/restore dance with the iPad/router/cable modem was performed to no avail. By sheer desperation, security protocols were changed, and that's what finally worked.
    The protocol to the rescue was WPA/TKIP, curiously enough. (When security is completely disabled ("Open"), the iPad also connects, perhaps expectedly.) The culprit is WPA2/AES (even AES+TKIP). Any iteration of WPA2/AES ends up blocking the iPad from getting the appropriate IP address via DHCP. Once I changed to WPA/TKIP, everything's been rock-solid and fast.
    (The only times WPA2/AES worked was when the iPad was first used for a couple days, and a couple days after switching back to WPA2/AES when it started working with WPA/TKIP. Since then, switching back to WPA2/AES no longer works, even temporarily.)
    Any idea why initially WPA2/AES worked, and then suddenly stopped?

    Ralph Landry1 wrote:
    That is a very interesting question ... [involving] the combination of the router and the iPad and their respective implementations of the AES encryption algorithm. The AES algorithm is considerably more complex than TKIP. Why some have problems and not others has to be related to the router and its implementation and the Apple implementation.... t works fine for me connecting with [both] a Verizon FiOS (Actiontec) router [a]nd ... an AirPort Extreme. But there have been a number of posts recently about problems with Linksys and Belkin connectivity.
    Tell me about it. I'd been pulling my hair out prior to "discovering (by accident," as George Costanza would say) that WPA/TKIP fixed the problem, and seems to be working fine and fast. Now I'm just academically frustrated (better than actually frustrated) wondering why WPA2/AES is so problematic +with this particular trifecta+ (my iPad, my Linksys router, and WPA2/AES).
    Bottom line is there is probably not an easy solution ... and since you do have a strong security protocol that works, keep using it. Very strange that there would be a change in connectivity after a few months, though. Old engineering philosophy, if it ain't broke, don't fix it. If you have something that works, stick with it for now.
    Actually, WPA2/AES worked on two (short but notable) occasions:
    a) for two days when I first unpacked the iPad, and
    b) for two days when I switched back to WPA2/AES upon discovering WPA/TKIP fixed the issue.
    So it wasn't two months, which makes more sense. I agree with you that I'm not touching this arrangement for now. What I did have to do was change over the other devices (PCs, Wii's, TiVo's) that didn't automatically adjust over to WPA/TKIP. (To its credit, the iPhone did that on the fly.) Going through each device hurt a little, knowing I was using a less-than-optimal protocol for just one cranky device at expense of every other one--but of course I'd rather everything play nice than be necessarily cutting edge. (It's not like I'm the Pentagon or anything here.)
    But also give feedback to Apple:
    http://www.apple.com/feedback/ipad.html
    Done and done. And thanks for a great and reassuring explanation.
    Message was edited by: TashTish

  • Can't open a specific wesite with AES encryption on

    WRT54GX2 router  set up with WPA and AES encryption, will not open a website that I know is working (it's my ISP, webmail site).  When I change to TKIP the site opens normally, but my wireless printer then drops off the network.  Any one have a fix?

    I agree with toomanydonuts suggestion. You can try the steps which toomanydonuts has mentioned and i think that will make your computer and printer work wirelessly.

Maybe you are looking for