Showing results for 
Search instead for 
Did you mean: 

One SSID with muptiple authentication methods


Have received a request from a customer to run both TKIP and AES encryption on the same SSID

From reading I believe this is not possible but can anyone confirm this please

Currently the config looks thus

dot11 ssid HELP

vlan 20

authentication open eap eap_methods

authentication network-eap eap_mtheods

authentication key-management wpa

authentication key-management wpa version 2  <<<<<<<<<<<<<<<<<<

<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>

Interface Dot11Radio0

encryption mode ciphers tkip

encrytption vlan 20 mode ciphers aes-ccm tkip

Many Thanks


Marco Gonzalez


Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.

We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.


Sent from Cisco Technical Support Android App

Hi Marco, thanks very much for your reply.

Apologies, yes, I meant encryption.

So, as it stands, VLAN20 is offeirng both TKIP & AES

Will this mean existing TKIP clients will not notice any change and those with AES enabled on their wireless devices now be able to access this SSID without any issue

You have to understand the standards... WPAv1 uses TKIP and WPAv2 uses AES. So clients configured for WPA/TKIP will not connect to an ssid with WPA2/TKIP. Apple devices are notorious for not working with both enabled and it would be something you would need to test.

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***

Hi Scott, yes, the customer has asked for both as they have a mix of old and new users and this is to cover the interim period while they migrate all users onto AES

Since adding aes-ccm to the command line ......  encryption vlan 20 mode ciphers tkip ...... legacy users are still able to connect but those new users using AES still cannot connect

Is there any need for additional configuration or should the clients using AES simply be able to acees the SSID

I am not sure exactly what devices these are ...  laptops, tablets or mobile phones ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: