cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95100
Views
64
Helpful
34
Replies

WPA and WPA2 - both using TKIP and AES??

dazza_johnson
Level 5
Level 5

Hi all. My understanding is the following;

TKIP + 802.1x                =            WPA(1)

CCMP(AES) + 802.1x     =             WPA2

However, I notice on the Cisco WLCs that you can configure;

WPA with TKIP and/or AES (by default TKIP is enabled)

WPA2 with TKIP and/or AES (by default AES is enabled)

My questions;

  1. Why would you use WPA2 with TKIP *AND* AES?
  2. What would you use WPA and WPA2 with both using TKIP *AND* AES?

Thanks in advance for the clarifications

Darren

34 Replies 34

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi Darren,

Your understanding is partially correct for the WPA and WPA2.

WPA supports TKIP(RC4). However, although not common, some later WPA certified cards support AES. (I've never seen this in practice in my life though. but others may faced it).

WPA2 supports CCMP(AES). However, TKIP is still supported for backward compatibility.

If one enabled WPA2 with both TKIP and AES on an access point this means that the client can connect using either TKIP or AES.

Also, WPA1/WPA2 not only work with 802.1x. PSK is also supported where you configure a pass phrase if you don't have a radius server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Hi there, thanks for the reply.

Regarding the comment below, I just checked my Windows 7 wireless supplicant and it supports TKIP or AES for all WPA types; WPA-PSK, WPA2-PSK, WPA-Enterprise and WPA2-Enterprise.

"WPA supports TKIP(RC4). However, although not common, some later WPA certified cards support AES. (I've never seen this in practice in my life though. but others may faced it)."

I understand TKIP and AES as concepts. But, what makes WPA-TKIP different to WPA2-TKIP? Same with AES, what makes WPA-AES different to WPA2-AES? Does the WPA2 version introduce additional features - MIC, extended key size, etc - that WPA doesn't........??

Be keen to hear more thoughts.

Darren

Darren:


WPA2-TKIP and WPA-TKIP are the same. WPA2 maintains support for TKIP for backward compatibility.

WPA-TKIP is normal. What - I think - the strange to see is WPA-AES because at the time of WPA there was no AES.

I am not aware about any special difference between the two. Devices that support WPA-TKIP though does not support AES because hardware limitations.

I think before fully ratifying and agreeing on 802.11i, there were vendors providing WPA chipsets that supports AES. Those need not necessarily be fully compatible with ratified 802.11i (WPA2), but they still support AES as encryption.

I will be also happy to hear from others about what they think.

Amjad

Rating useful replies is more useful than saying "Thank you"

Bty, your windows supplicant, you will be using WPA2 certified client adapter.

What I never seen is a WPA clients with AES capable. i.e. AES capable client that was made before formally agreeing on the AES standard.

Rating useful replies is more useful than saying "Thank you"

OK, so there is NO difference in WPA-TKIP and WPA2-TKIP. That is what you said, so I wonder why Cisco let you configure both independantly on the wireless controllers????

I agree with WPA-AES - what is that all about

You can also configure on Windows 7.....

Very confusing....

Very confusing: Yes it is. I agree.

But you can consider it normal situation that is by default on most devices:

WPA2 - AES.

WPA - TKIP.

This is by default.

now, WPA2-TKIP: can be used if your client does not support AES while you want other AES capable clients connect to the same SSID. So you enable WPA2 with both AES and TKIP.

for WPA if you use TKIP that is normal. If you use WPA-AES then this is for devices that that supports AES before ratifying WPA2 (it may work with ratified version though).

If a WPA vendor (AP) used AES, you can configure your client to use WPA-AES.

You know what? I think it will work if you try to connect a client confnigured for WPA-AES to a WLAN configured for WPA2-AES (not WPA-AES).
I can't give it a try in production. But I may try it later.

You try it if you have a test AP and let us know

Rating useful replies is more useful than saying "Thank you"

I had the chance to try it now on cisco WLC.

WPA2-AES SSID and WPA-AES client - Does not work.

WPA-AES SSID and WPA2-AES client - Does not work.

:-/

Rating useful replies is more useful than saying "Thank you"

Thanks for testing, i guess that proves that there IS a difference between WPA-AES and WPA2-AES. There must be some fields that are different in some way.... So, can you test if a client in WPA-TKIP can connect to WPA2-TKIP SSID? This will prove the backward compatibility of TKIP that you mentioned before....

Thanks for the collaboration so far :-)

Yes. you are correct.
I brough the correct answer to you after collecting wireless sniffer capture.

For WPA2, therei s a field in the 802.11 packet that is called RSN information element. This is not available in WPA.

So, if your clients are old (before WPA2) but they can use AES, you need to use WPA-AES with them because if you use WPA2-AES they will fail to connect because of the RSN information in the packet that they do not understand.

Wireless Beacon Packet that uses WPA-AES:

Wireless Beacon Packet for a WLAN that is using WPA2-AES:

To Answer: Why windows 7 has the ability to connect to WPA-AES, this is because if the vendor (the AP) supports only WPA (not WPA2) and also supports AES.

I hope this answers the questoin.

Amjad

Rating useful replies is more useful than saying "Thank you"

Just to add my 2 cents, I never would setup a WLAN for both at the same time. So for basics... You have devices like windows 7 that you can configure a profile using various methods (wpa-aes, wpa-tkip, etc). Sometimes that does work, but here is the catch. Some client give you only the option to choose WPA-PSK, which means WPA-TKIP, WPA-ENTERPRISE, which means WPA-802.1x, WPA2-PSK, which is WPA2-AES and WPA2-ENTERPRISE, which is WPA2-802.1x. So you see what is the default encryption method is and why it doesn't work all the time when you mix it up.

Also, many devices don't like when you have both WPA-TKIP and WPA2-AES configured in a WLAN. This I know from being on the field

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Scott couldnt be more right. In fact, older and some newer clients freak out when they see more than 1 RSN element. While other devices, like the cisco wifi phones, will actually pick the more secure security setting when more than 1 RSN is offered.

I just had a situation were we upgarded a network and allowed WPA/TKIP and WPA2/AES Enterprise on a SSID. The Silex bridges refused to asscoaite and only would when 1 RSN was offered. While all the other devices worked fine.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

+5 Scott!

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Only WPA-tkip & wpa2-aes are tested & certified as part of wifi certification, Enabling both mode is not tested as well.

Enabling both WPA-tkip & wpa2-aes should be avoided on infrastructure device when there is decrypt issues because some clients can't do well on mixed mode(which is not a standard). however, it works well with specific vendor infrastructure and their own clients Ex: cisco phone on cisco wlc, Motorola handhelds with their controllers goes well since this combination is tested in their respective labs.

By enabling all possible WPA & WPA2 on WLAN would burden the cpu of AP to specifically encrypt & decrypt them & it should be avoided on high density deployment.

Thanks guys for the comments.

I have always left WPA-TKIP and WPA2-AES enabled as per the defaults, I asked this question more out of curiousity.

As per the excellent work by Amjad, WPA2 includes the RSN information element. Therefore the difference between the WPA-AES and WPA2-AES is the content of the RSN information element. I will have to read the 802.11i standard to understand the value that this gives to us......

Thanks for the comments guys.

Review Cisco Networking for a $25 gift card