What is WPA mixed mode operation, and how do I configure it in my AP?
WPA stands for Wi-Fi Protected Access. There are two versions of WPA: WPA and WPA2.
WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and Small Office/Home Office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA is fully supported by the Cisco Wireless Security Suite and the Cisco Structured Wireless-Aware Network(SWAN).
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite and by Cisco SWAN.
WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.
The AP must support WPA2 mixed mode to use this option. This means it should have a G radio. These Cisco Aironet products support WPA2:
To configure WPA or WPA2 mixed mode, perform these steps:
Go to > Security > Encryption Manager, and select AES CCMP+TKIP from the Ciphers drop down menu.
Make sure that your SSID is configured for WPA mandatory (not optional). Go to Security > SSID Manager, and select the SSID that should be used.
Scroll down to the Authenticated Key Management section and select Mandatory in the Key Management pull down menu. Also make sure to check the WPA box.
Comparison of WPA and WPA2 Mode Types
Enterprise Mode (Business, Government, Education)
Authentication: IEEE 802.1X/EAP
Authentication: IEEE 802.1X/EAP
Personal Mode (SOHO, Home/Personal)
In Enterprise mode of operation both WPA and WPA2 use 802.1X/EAP for authentication. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static encryption keys.With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN products.
Another benefit of 802.1X authentication is centralized management for WLAN user groups, including policy-based key rotation, dynamic key assignment, dynamic VLAN assignment, and SSID restriction. These features rotate the encryption keys.
In the Personal mode of operation, a pre-shared key (password) is used for authentication. Personal mode requires only an access point and client device, while Enterprise mode typically requires a RADIUS or other authentication server on the network.
This document provides examples for configuring WPA2 (Enterprise mode) and WPA2-PSK (Personal mode) in a Cisco Unified Wireless network.
We are pleased to announce the immediate availability of the IOS-XE release 17.3.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
Got a 1572 AP plugged in getting ready to finish configuring it. It discovered the WLC fine and I changed the AP mode from Bridge to Local so it rebooted. That's where it has gotten stuck. I get as far as the below output and it hasn't changed for over an...
Hello,I've 2 Physical WLC 9800 in SSO, and I'd like to know if it's possible to monitor the Management AP Interface to force a Failover if it's not reachable.I physically shutted the Interface that carry the AP Management IP to see what's happening,...
Buen día, alguien tiene información sobre si se puede crear distintos tipos de acceso a la plataforma CMX??? Necesito que distintas personas puedan entrar al CMX, pero que cada uno de ellos solamente pueda ver la información de un solo edificio. O s...
Hello, I have a pair of 5508 WLC setup in HA mode. What is the best way to change the IP addresses of the management and redundancy management interfaces on BOTH 5508 WLC? I also need to change IP addresses of all the WAPs too. Are ...