Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
132440
Views
8
Helpful
0
Comments

What is WPA mixed mode operation, and how do I configure it in my AP?

TCC_2
Level 10
Level 10

‎06-22-2009 05:11 PM - edited ‎11-18-2020 02:37 AM

 

 

Introduction

What is WPA mixed mode operation, and how do I configure it in my AP?

 

Resolution

WPA stands for Wi-Fi Protected Access. There are two versions of WPA: WPA and WPA2.

WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and Small Office/Home Office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA is fully supported by the Cisco Wireless Security Suite and the Cisco Structured Wireless-Aware Network(SWAN).

WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite and by Cisco SWAN.

WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.

The AP must support WPA2 mixed mode to use this option. This means it should have a G radio. These Cisco Aironet products support WPA2:

  • 1130AG series and 1230AG series APs support WPA2

     

       
  • Cisco Aironet 1100 series, 1200 series and 1300 series 802.11g radios support WPA2 with a Cisco IOS  Software upgrade through Cisco IOS Software Release 12.3(2)JA or later

 

To configure WPA or WPA2 mixed mode, perform these steps:

 

  • Go to > Security > Encryption Manager, and select AES CCMP+TKIP from the Ciphers drop down menu.

     

  • Make sure that your SSID is configured for WPA mandatory (not optional). Go to Security > SSID Manager, and select the SSID that should be used.

     

  • Scroll down to the Authenticated Key Management section and select Mandatory in the Key Management pull down menu. Also make sure to check the WPA box.

 

 

Comparison of WPA and WPA2 Mode Types

 

  WPA WPA2

Enterprise Mode (Business, Government, Education)
  • Authentication: IEEE 802.1X/EAP
  • Encryption: TKIP/MIC
  • Authentication: IEEE 802.1X/EAP
  • Encryption: AES-CCMP
Personal Mode (SOHO, Home/Personal)
  • Authentication: PSK
  • Encryption: TKIP/MIC
  • Authentication: PSK
  • Encryption: AES-CCMP

 

 

In Enterprise mode of operation both WPA and WPA2 use 802.1X/EAP for authentication. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static encryption keys.With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN products.

 

Supported types include

 

 

Another benefit of 802.1X authentication is centralized management for WLAN user groups, including policy-based key rotation, dynamic key assignment, dynamic VLAN assignment, and SSID restriction. These features rotate the encryption keys.

 

In the Personal mode of operation, a pre-shared key (password) is used for authentication. Personal mode requires only an access point and client device, while Enterprise mode typically requires a RADIUS or other authentication server on the network.

This document provides examples for configuring WPA2 (Enterprise mode) and WPA2-PSK (Personal mode) in a Cisco Unified Wireless network.

 

Problem Type

 

Configure / Configuration issues

Definitions

Technical product specification / features

Products

Access point

 

Security Options

CKIP / TKIP

WPA

Others

 

Reference

 

Wi-Fi Protected Access, WPA2 AND IEEE 802.11I

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents