What is WPA mixed mode operation, and how do I configure it in my AP?
WPA stands for Wi-Fi Protected Access. There are two versions of WPA: WPA and WPA2.
WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and Small Office/Home Office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA is fully supported by the Cisco Wireless Security Suite and the Cisco Structured Wireless-Aware Network(SWAN).
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite and by Cisco SWAN.
WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.
The AP must support WPA2 mixed mode to use this option. This means it should have a G radio. These Cisco Aironet products support WPA2:
To configure WPA or WPA2 mixed mode, perform these steps:
Go to > Security > Encryption Manager, and select AES CCMP+TKIP from the Ciphers drop down menu.
Make sure that your SSID is configured for WPA mandatory (not optional). Go to Security > SSID Manager, and select the SSID that should be used.
Scroll down to the Authenticated Key Management section and select Mandatory in the Key Management pull down menu. Also make sure to check the WPA box.
Comparison of WPA and WPA2 Mode Types
Enterprise Mode (Business, Government, Education)
Authentication: IEEE 802.1X/EAP
Authentication: IEEE 802.1X/EAP
Personal Mode (SOHO, Home/Personal)
In Enterprise mode of operation both WPA and WPA2 use 802.1X/EAP for authentication. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static encryption keys.With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN products.
Another benefit of 802.1X authentication is centralized management for WLAN user groups, including policy-based key rotation, dynamic key assignment, dynamic VLAN assignment, and SSID restriction. These features rotate the encryption keys.
In the Personal mode of operation, a pre-shared key (password) is used for authentication. Personal mode requires only an access point and client device, while Enterprise mode typically requires a RADIUS or other authentication server on the network.
This document provides examples for configuring WPA2 (Enterprise mode) and WPA2-PSK (Personal mode) in a Cisco Unified Wireless network.
Good Day, I am currently trying to load a new SSL Cert onto a WLC5520 but have been met with the following error each time: I have followed the steps for this from: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-la...
Hello, we are developing RFID tags and need some help on getting its location on MAPs.I understand that APs forward tags RSSI information to WLC. 1. I see from Cisco Unified Wireless Location-Based Services , we need a Location appliance an...
I'm having some issues trying to get mac auth set up for my guest network when running through a foreign/anchor set up. I took an access point and put it directly on my anchor controller. Configured the SSID's with L2 MAC Filtering and L3 On M...