Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
4
Replies

One SSID with muptiple authentication methods

NIGEL PAYNE
Level 1
Level 1

‎11-05-2013 06:19 PM - edited ‎07-04-2021 01:13 AM

Have received a request from a customer to run both TKIP and AES encryption on the same SSID

From reading I believe this is not possible but can anyone confirm this please

Currently the config looks thus

dot11 ssid HELP

vlan 20

authentication open eap eap_methods

authentication network-eap eap_mtheods

authentication key-management wpa

authentication key-management wpa version 2  <<<<<<<<<<<<<<<<<<

<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>

Interface Dot11Radio0

encryption mode ciphers tkip

encrytption vlan 20 mode ciphers aes-ccm tkip

Many Thanks

Labels:
0 Helpful
4 Replies 4

Marco Gonzalez
Level 1
Level 1

‎11-05-2013 06:59 PM

Hello

Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.

We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.

Regards,

Sent from Cisco Technical Support Android App

0 Helpful

NIGEL PAYNE
Level 1
Level 1
In response to Marco Gonzalez

‎11-05-2013 07:09 PM

Hi Marco, thanks very much for your reply.

Apologies, yes, I meant encryption.

So, as it stands, VLAN20 is offeirng both TKIP & AES

Will this mean existing TKIP clients will not notice any change and those with AES enabled on their wireless devices now be able to access this SSID without any issue

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to NIGEL PAYNE

‎11-05-2013 07:15 PM

You have to understand the standards... WPAv1 uses TKIP and WPAv2 uses AES. So clients configured for WPA/TKIP will not connect to an ssid with WPA2/TKIP. Apple devices are notorious for not working with both enabled and it would be something you would need to test.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

NIGEL PAYNE
Level 1
Level 1
In response to Scott Fella

‎11-05-2013 07:25 PM

Hi Scott, yes, the customer has asked for both as they have a mix of old and new users and this is to cover the interim period while they migrate all users onto AES

Since adding aes-ccm to the command line ......  encryption vlan 20 mode ciphers tkip ...... legacy users are still able to connect but those new users using AES still cannot connect

Is there any need for additional configuration or should the clients using AES simply be able to acees the SSID

I am not sure exactly what devices these are ...  laptops, tablets or mobile phones ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card