WRT54GX2; WPA2 AES

Similar Messages

• WPA-TKIP WPA2-AES Connection speed

  Hi,
  My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
  802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
  Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
  Thanks,
  Burhan,

  TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
  AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
  The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
  In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
  While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
  WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
  In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
  In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!

• WPA2\AES and PSK

  We have a situation that we need to implement WPA2, AES with PSK on our WLC. If I put a complex passphrase of 63 ASCI characters, how safe is my wireless network? After reading multiple forums, it seems that is quite safe, even if this setup is design for a home or medium office.
  Your feedback is very much appreciated.
  Thank you.

  As far as the security algorithm itself is concerned, a very long, random PSK is extremely secure.
  However, there are human factor issues that come into play: that long PSK has to be written down somewhere and that location must be kept secure; the number of people who have access to the key must be limited and all of them must carefully maintain the security of the key; if the key is compromised you must manually change the keys on all clients; etc.
  Another issue is that with a PSK you have no way to map a given wireless connection to any individual user, as you would with 802.1X. So if an EAP account is compromised you at least know who to yell at, whereas if your key is compromised you have no clue.
  Nobody's going to crack a 63-character passphrase using over-the-air tools. But they won't bother. They'll just find a way to get into your helpdesk office and take a picture of the whiteboard where it's written down.

• WPA2-AES with Certifiacte authentication in WLC

  Hello,
  I have currently setup with 1200 series AP's as a Stand alone, the authentication is done via radius  with Certiface Installed in Client Domain Laptops (WPA2 + AES). The certificate is installed on the domain laptops and when I connect wireless it shows up as WPA2 (Peap). As we migrating to WLAN Controller we unable to authenticate the client with WPA2 AES. In controller if we enable PSK ( Preshared key) its works fine. with 802.1x the authentication not happening and I am getting the error as RADIUS is not responding. But we dont have a control with RADIUS which is in Remote Site. Can some one guide me in RADIUS what needs to check, and with IOS AP its works fine.
  Thanks in Advance

  You will need to have access to your RADIUS server to set up your controller to support PEAp, its not as simple as upgrading the aps and adding a controller as the controller will need adding as a client to the RADIUS server as a client and depending on your remote access policies adding into the RAS policy. You will need to liaise with the RADIUS support team

• How do I set my E3000 to WPA2 AES?

  On the cisco connect (192.168.1.1) page, where can I change the encryption scheme to WPA2-AES?
  Solved!
  Go to Solution.

  WPA2 Personal uses AES only.
  WPA Personal uses TKIP only.
  WPA2/WPA Personal Mixed Mode uses both.
  For best security and performance use WPA2 Personal only.

• Accept Certificate when connecting to an SSID with WPA2-AES encryption.

  When I try to Connect my Iphone to an SSID with WPA2-AES encryption,i need to accept the certificate and gets authenticated.When i switchover to different SSID and reconnect again to the same WPA2-AES SSID i do not get the Certificate accept page.
  When i click on the Forget Network and deisconnect from the SSID and re-connect again,i will be prompted to acept the certificate.Is this a normal behavior in Iphone.
  Any suggestions would be greatly appreciated.
  Thanks and regards,
  Sendhil Balakrishnan

  Hi
  with the config i have i seem to be able to login using either tkip or aes, but i don't think i have got mixed mode configured on the AP so it should only accept WPA2-AES encryption but it also accepts TKIP making me believe something is configured incorrectly.
  should i change anything in the config on the AP to only allow WPA2-AES encryption?
  many thanks
  rogier

• WLC-4404. WPA2 - AES (L2) - Microsoft IAS- unable to authenticate

  Hi am upgrading from EAP - TLS with WEP to WPA2 - AES with smartcard / machine certificates. AAA server is Microsoft IAS. New SSID and config for WPA2 looks straightforward.
  Created new policy for this SSID on IAS, again looks straightforward. Unable to authenticate, debug on WLC looks as though not all server to client transactions are taking place , no EAPOL messages etc.
  Any ideas?

  This mostly occurs due to incompatibility on the client side. Try these steps in order to fix this issue:
  Check if the client is Wi-Fi certified for WPA2 and check the configuration of the client for WPA2.
  Check the data sheet in order to see if the client Utility supports WPA2. Install any patch released by the vendor to support WPA2. If you use Windows Utility, make sure that you have installed the WPA2 patch from Microsoft in order to support WPA2.
  Upgrade the client's Driver and Firmware.
  Turn off Aironet extensions on the WLAN.

• EAP-PEAP, CCKM & WPA2 AES

  Hi Guys,
  Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
  There appears to multiple conflicting docs about it.
  Cheers,
  Nick

  Hi Nick,
  1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
  2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
  3. WPA with cckm works perfectly (as cisco recommanded)
  Regards
  Dont forget to rate helpful posts

• Unable to connect to a Wifi WPA2 AES network

  Hello
  I have an issue to connect to a Wireless WPA2 AES network. I am using an iPhone 4 with iOS 6.0.1
  Is that a  known issue?

• Palm Pre & WPA2 AES Wireless Networks

  I have a palm pre that I'd like to connect to a campus network that uses WPA2 AES encyption. I have the certificate required for this network already installed on the pre. However, when attempting to login to the network, it does not use the certificate and asks for a username/password. Of course, the logins will not work. Any workaround or is this just not supported?
  Post relates to: Pre p100eww (Sprint)

  Have you tried putting your domain name before the username, i.e. <DOMAIN>\<USERNAME>? e.g.
  Username: School\John Doe
  Password: **********
  If you network is not hidden, you don't even need to specify the security setting. I think it does it automatically when I select a network from the list, at least for me. Good luck!

• Does 7921 support WPA2+AES+PKC?

  Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
  Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
  VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

  Ok first off the 7921G and 7925G are WPA/WPA2 certified.
  7921G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
  7925G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
  The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
  As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
  There is a statement there in regards to WPA2+CCKM on page 10.
  Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
  But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
  roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
  key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
  TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

• Possible fix? Use WPA2 AES

  Just read that TKIP WPA2 might be the reason for lockups. I set my router for WPA2 AES instead. *fingers crossed*

  Nope. Wake up killed my router again. Another lock up.
  Bringing this thing back to a store. I give up.

• IPad WiFi works only with WPA/TKIP, not WPA2/AES

  My iPad (like so many others) stopped connecting to my Linksys WRT54G router (which like everyone else's connects fine with every other device, including non-iOS 4 iPhones). The whole reset/restart/restore dance with the iPad/router/cable modem was performed to no avail. By sheer desperation, security protocols were changed, and that's what finally worked.
  The protocol to the rescue was WPA/TKIP, curiously enough. (When security is completely disabled ("Open"), the iPad also connects, perhaps expectedly.) The culprit is WPA2/AES (even AES+TKIP). Any iteration of WPA2/AES ends up blocking the iPad from getting the appropriate IP address via DHCP. Once I changed to WPA/TKIP, everything's been rock-solid and fast.
  (The only times WPA2/AES worked was when the iPad was first used for a couple days, and a couple days after switching back to WPA2/AES when it started working with WPA/TKIP. Since then, switching back to WPA2/AES no longer works, even temporarily.)
  Any idea why initially WPA2/AES worked, and then suddenly stopped?

  Ralph Landry1 wrote:
  That is a very interesting question ... [involving] the combination of the router and the iPad and their respective implementations of the AES encryption algorithm. The AES algorithm is considerably more complex than TKIP. Why some have problems and not others has to be related to the router and its implementation and the Apple implementation.... t works fine for me connecting with [both] a Verizon FiOS (Actiontec) router [a]nd ... an AirPort Extreme. But there have been a number of posts recently about problems with Linksys and Belkin connectivity.
  Tell me about it. I'd been pulling my hair out prior to "discovering (by accident," as George Costanza would say) that WPA/TKIP fixed the problem, and seems to be working fine and fast. Now I'm just academically frustrated (better than actually frustrated) wondering why WPA2/AES is so problematic +with this particular trifecta+ (my iPad, my Linksys router, and WPA2/AES).
  Bottom line is there is probably not an easy solution ... and since you do have a strong security protocol that works, keep using it. Very strange that there would be a change in connectivity after a few months, though. Old engineering philosophy, if it ain't broke, don't fix it. If you have something that works, stick with it for now.
  Actually, WPA2/AES worked on two (short but notable) occasions:
  a) for two days when I first unpacked the iPad, and
  b) for two days when I switched back to WPA2/AES upon discovering WPA/TKIP fixed the issue.
  So it wasn't two months, which makes more sense. I agree with you that I'm not touching this arrangement for now. What I did have to do was change over the other devices (PCs, Wii's, TiVo's) that didn't automatically adjust over to WPA/TKIP. (To its credit, the iPhone did that on the fly.) Going through each device hurt a little, knowing I was using a less-than-optimal protocol for just one cranky device at expense of every other one--but of course I'd rather everything play nice than be necessarily cutting edge. (It's not like I'm the Pentagon or anything here.)
  But also give feedback to Apple:
  http://www.apple.com/feedback/ipad.html
  Done and done. And thanks for a great and reassuring explanation.
  Message was edited by: TashTish

• Is there a limit on number of characters for WPA2/AES on Itouch 4th Generation, IOS 5.0?

  Seen on a few sites that the Itouch prefers 10 to 24 characters, 24 being the maximum.  We are using MobileIron to create profiles, and the current WPA2 Pass phrase is 58 charcters long in ASCII format.  Any help is greatly appreciated.
  King regards

  FWIW I use a 63-character random ASCII key and WPA2-Personal (aka WPA2-PSK [AES]) on my iPod Touch (4th gen) device, running iOS 5.0.1, and my home wireless networks. The key is similar to this...
  The only problem is its quite a pain to key in using the iPod Touch keyboard. I got around that by creating an Outlook 2010 Note, syncing the note with the iPod, then using copy-n-paste to insert the key into the wireless network profile. All that works well with my home ZyXEL wireless router and my travel Belkin wireless router.
  My wireless network security guidelines for home users...
  http://theillustratednetwork.mvps.org/LAN/SoHoWirelessSecurity.html

• WPA2 Aes encryption on cisco 1121G AP

  hi
  i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
  i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
  is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
  i have attached my config and have removed some personal data.
  many thanks
  rogier

  i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
  i guess windows xp is a bit smarter than i originally thought