Re: WEP and EAP on same SSID!

cphelan · ‎07-14-2005

OK - Big problem! We have recently upgraded some 1220 access points from VxWorks to IOS 12.2(15). The problem now is that we can have either WEP only devices authenticate or EAP devices authenticate but not both! Somehow VxWorks does not have this problem. If you look at this config:

ssid monday

authentication open

authentication network-eap eap_methods

so WEP only devices can now associate and Cisco EAP (LEAP) devices can authenticate. But non-Cisco, at least Intel cards, cannot EAP because of open authentication.

Change this to:

ssid monday

authentication open eap eap_methods

authentication network eap eap_methods

Intel card devices can EAP, Cisco card devices can LEAP. Cisco devices with WEP only cannot associate!

I have tried playing with the AAA default command as I can see non-Cisco devices in the former config attempting to authenticate but I think because the authentication is open - it just won't work regardless that I have defaulted to the correct radius group!!!

I do not believe the IOS version is an issue - the question is what is VxWorks doing that IOS is not? And is there a work around?

All ideas greatly appreciated...

Thanks

dsidley · ‎07-18-2005

You are correct with your assumptions on Open with or without eap_methods. You don't mention what encryption mode you are using. Typically older devices that were compatible with EAP authentication used LEAP with WEP encryption. Newer devices obviously conform to either WPA 1 or WPA 2.

try adding the following to interface d0.....

encryption mode ciphers tkip wep128

This allows me to connect devices using both WPA and WEP 128 bit encryption.