topic WPA2/AES and WPA/TKIP in Wireless

WPA2/AES and WPA/TKIP

Massimo Baschieri — Mon, 05 Jul 2021 09:42:03 GMT

Hi all,

for compatiility reasons I was used to enable both protocols on all the access points I prepared for customers of mine, both as regards on lightweight ones that standalone,

Now, as you all know, not only it's not best practice, but on the latest cisco products enabling both aes and tkip on the same ssid brings a lot of troubles.

I'm educating customers to get rid of old tkip only devices in order to remove it from configurations on wlc's and standalone ap's, but it's not always that easy, customers need time.

I read that a solution on wlc coud be to create two wlans with same ssid, one aes and the other tkip, but on latest releases seems not allowed to create any ssid with wpa1 only encyption.

On standalone ap's creating two ssid's on same vlan/interface is not allowed historically.

Did you find any solution for that?

On a single WLAN, you can

Saurav Lodh — Fri, 13 Mar 2015 11:39:42 GMT

On a single WLAN, you can allow WPA1 and WPA2clients to join,TKIP is the default value for WPA1, and AES is the default value for WPA2.

Sure, but I've got a lot of

Massimo Baschieri — Fri, 13 Mar 2015 12:42:20 GMT

Sure, but I've got a lot of issues enabling both protocols on recent cisco AP's, as soon as I remove wpa1 tkip on wlc or standalone ap configuration troubles disappear, that way old tkip devices no longer can connect to wireless.

I was wondering if there is a workaround that allows old tkip devices to connect to wifi without disrupting new AES devices connections, possibly using same ssid.

I know your pain first hand.

George Stefanick — Fri, 13 Mar 2015 19:03:44 GMT

I know your pain first hand. Ive tested this and seen the issue even did packet traces. This is a big pickle. 8.0 no longer allows just TKIP, but it does allow transitional TKIP and AES.

If you are using a WLC. Here is my suggestion. I haven't tried it but it may work. Down grade to 7.6 config your 2 network TKIP and AES then upgrade to 8.0. I think it will preserve the already existing network. Its worth a try.

In fact the environment it's

Massimo Baschieri — Sat, 14 Mar 2015 06:14:46 GMT

In fact the environment it's getting me the worst pain is a recent migration from old 4400 wlc's to a vwlc that started with 8.0.100 release.

But the issue is also related to ap models, since the whole ap pool was of glorious 1242's no issue at all, only after swapping two 1242's with two brand new 1702's the pain started, and gives pain only in the 1702's coverage area.

I'm sure your trick works, but in my case it's better to get rid of the 1702's until tkip devices disappear completely.