What is WPA mixed mode operation, and how do I configure it in my AP?
WPA stands for Wi-Fi Protected Access. There are two versions of WPA: WPA and WPA2.
WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and Small Office/Home Office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA is fully supported by the Cisco Wireless Security Suite and the Cisco Structured Wireless-Aware Network(SWAN).
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite and by Cisco SWAN.
WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.
The AP must support WPA2 mixed mode to use this option. This means it should have a G radio. These Cisco Aironet products support WPA2:
To configure WPA or WPA2 mixed mode, perform these steps:
Go to > Security > Encryption Manager, and select AES CCMP+TKIP from the Ciphers drop down menu.
Make sure that your SSID is configured for WPA mandatory (not optional). Go to Security > SSID Manager, and select the SSID that should be used.
Scroll down to the Authenticated Key Management section and select Mandatory in the Key Management pull down menu. Also make sure to check the WPA box.
Comparison of WPA and WPA2 Mode Types
Enterprise Mode (Business, Government, Education)
Authentication: IEEE 802.1X/EAP
Authentication: IEEE 802.1X/EAP
Personal Mode (SOHO, Home/Personal)
In Enterprise mode of operation both WPA and WPA2 use 802.1X/EAP for authentication. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static encryption keys.With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN products.
Another benefit of 802.1X authentication is centralized management for WLAN user groups, including policy-based key rotation, dynamic key assignment, dynamic VLAN assignment, and SSID restriction. These features rotate the encryption keys.
In the Personal mode of operation, a pre-shared key (password) is used for authentication. Personal mode requires only an access point and client device, while Enterprise mode typically requires a RADIUS or other authentication server on the network.
This document provides examples for configuring WPA2 (Enterprise mode) and WPA2-PSK (Personal mode) in a Cisco Unified Wireless network.
I have been out of the IT world for a few years, but my current job is requiring me to take on more IT related tasks. One of my current tasks is to get a mobile "robot" to talk over wifi after a failure of an older setup (2 wireless bridges). I have been ...
Under Configuration -> Security -> Web Auth, on the new 9800 WLC you have a option called Web Auth Parameter Map.How many Web Auth Parameter Map can you have on the new 9800 WLC?I can't seem to find a number on this online. But would it be reas...
Hello, Anyone can explain the picture of AP signal. The picture shows signals strength in different angles so that we can know how strong the signal is at different angle. Do you think the picture show signal strength at some distance away from the AP? Fo...
We currently have a Cisco WLC 4402 with approximately 50 Aironet 1142 APs . When we we provision an AP both our guest and secure wlans are automatically setup on the APs. Is there a way or configuration where we could have certain APs "not" have the secur...
Hello, I'm using network environment based on AIR-AP3802I-E-K9 with WLC 5529 18.104.22.168. Could someone please tell me why some client devices which are using 2.4Ghz associating with AP only based on 802.11g?I've in NIC requirements tha...