06-26-2012 10:41 PM - edited 07-03-2021 10:21 PM
Hi all. My understanding is the following;
TKIP + 802.1x = WPA(1)
CCMP(AES) + 802.1x = WPA2
However, I notice on the Cisco WLCs that you can configure;
WPA with TKIP and/or AES (by default TKIP is enabled)
WPA2 with TKIP and/or AES (by default AES is enabled)
My questions;
Thanks in advance for the clarifications
Darren
07-06-2012 06:19 PM
Also, many devices don't like when you have both WPA-TKIP and WPA2-AES configured in a WLAN.
Like iDevices.
07-07-2012 03:18 AM
One thing that I found about IE:
on WLC CLI when I want to see the WLAN configuratin (show wlan
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Cisco writes explicitly that with WPA the SSN is used. while RSN is used with WPA2 with either AES or TKIP.
06-28-2012 04:51 AM
Here is a good read
https://learningnetwork.cisco.com/thread/4143
Sent from Cisco Technical Support iPhone App
07-02-2012 07:56 PM
Hi all. I have re-read the comments in the post and looked at the links provided - all of which have been very useful. We know that the packet structure of WPA differs to WPA2 with the RSN information element.
I have also done private research on this using Cisco books and the internet. I have deduced a conslusion. I have not read anything that explicitly backs up my theory, but it make sense to me
I'd be very interested to hear your comments guys. TKIP translates to WPA(1) and CCMP translates to WPA2 for the purpose of this post.
TKIP itself (put to one side PSK and 802.1x for simplicitly) is a method of creating a 'secure' WEP seed. I think most of us will agree with this. In addition, it offers more security features - a hash, etc. So, TKIP has a mechanism to create a secure WEP seed AND has a new packet format. What do we do with this WEP seed? By default, the secure WEP seed is fed into the RC4 algorithm to generate the encryption key which is used to encrypt the user data. This encrypted data is then inserted into the TKIP packet.
BUT, if the AES algorithm was selected then I believe that the secure WEP seed would be fed into the AES algorithm to generate the key which is used to encrypt the user data. In other words, with TKIP the actual encryption can be either RC4 (the default) or AES - hence the options available on the controller......
Similarly, CCMP is the overall framework with its own frame format. The encryption algorithm that you decide to use is up to you - either AES or RC4. Obviously, the way the encryption key is generated follows the CCMP protocol, but once you have this key I believe you can then use AES or RC4 to actually create the cipher text (encrypted data) and insert this into the CCMP packet.
If my theory above is correct, I believe the WLAN controller GUI is not accurate. It should be as per the attached screenshot;
I'm tempted to open a TAC case on this for the official low-down.....
07-02-2012 08:13 PM
dazza,
Try to look at it also from other vendors. Most, if not all, specify WPATkip or WPA2AES. I don't think personally there is anything wrong, it just the way it has been for a long time:) Here is a thread with Eric N from TAC, explaining the difference between wpa and wpa2.
Sent from Cisco Technical Support iPad App
07-02-2012 08:19 PM
Hi Scott. When the other vendors specify WPA/TKIP and WPA2/AES - is that simply because they only support the defaults (WPA with RC4 and WPA2 with AES)??? Maybe they don't support WPA with AES for example, or WPA2 with RC4 like Cisco do.....??
07-02-2012 08:29 PM
Well the thing is, there are vendors like Microsoft and some handheld devices that give you all the options. Now most of the time it's the OS that allows you to specify it but who know want the actual wireless card can do. I understand what you are saying, but just imagine if they were to change that... Soooo many people should get confused:). At least you have an understand of both.
Sent from Cisco Technical Support iPhone App
07-02-2012 08:19 PM
Little confused by the term "WEP seed". But its funny you mention this becuase I would tend to agree with you, on a few items.
Lets get back to basics.
WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.
WIFI Alliance implemented WPA TKIP, because wep was broken, hence why you see WPA in devices today. At that time devices (chips) couldnt handle AES.
TKIP and CCMP are both protocols that encrypt data. The algorithm they use are TKIP(RC4) and CCMP(AES). RC4 is a stream and AES is a block.
Folks normally dont get this deep. Are you studing for something ?
07-02-2012 08:30 PM
Hi George. The 'WEP Seed' is used in the Cisco book I'm using that talks about TKIP. In WEP the WEP seed was created using the IV(24-bit)+WEP key(40-bit or 104-bit), that was then fed into RC4 to generate the encryption key. In TKIP, a much more convulated process is used to generate the resultant 128-bit WEP Seed, which is then fed into the RC4 process....
I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?
I'm really interested in Cisco wireless security, hence why I am being so anal about this query. I have opened a TAC case because a customer enquired about this recently... I will let you know the result!
07-02-2012 08:58 PM
What book are you reading the 802.11 Wireless Security book from 2004?
I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?
WPA and WPA 2 are identical for all intensive purposes. No one has or could point out to me the difference.
Standard (which means what vendors should follow, but sometimes doesnt) states WPA2 AES, but TKIP (optinal). Both are RSN.
Let me further add, why is AES and TKIP RSN ? It becuase they share mutal authentication (4 way handshake)
You ever read the CWSP ?
07-02-2012 09:02 PM
BTW ---
I do the same. If I read something and it doesnt make sense and we have smartnet --- TAC CASE ..
07-02-2012 11:53 PM
George Stefanick wrote:
WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.
Geroge:
When using WPA2-TKIP the RSN element is there:
When using WPA with either AES or TKIP there is no RSN IE appears.
07-03-2012 04:24 AM
Amajd
How are ya buddy? My mention is that not all sniffers will state that. I looks like the one you are using does.
Sent from Cisco Technical Support iPhone App
07-03-2012 04:47 AM
Hey George, I am doing great. what about you?
I got your idea. thanks for explanation.
BTW, I sent you a private message two days ago, have you seen it?
07-06-2012 02:33 PM
Amjad -- Sorry I didnt see your post till now. I responded ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide