Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
95102
Views
64
Helpful
34
Replies

WPA and WPA2 - both using TKIP and AES??

dazza_johnson
Level 5
Level 5

‎06-26-2012 10:41 PM - edited ‎07-03-2021 10:21 PM

Hi all. My understanding is the following;

TKIP + 802.1x                =            WPA(1)

CCMP(AES) + 802.1x     =             WPA2

However, I notice on the Cisco WLCs that you can configure;

WPA with TKIP and/or AES (by default TKIP is enabled)

WPA2 with TKIP and/or AES (by default AES is enabled)

My questions;

  1. Why would you use WPA2 with TKIP *AND* AES?
  2. What would you use WPA and WPA2 with both using TKIP *AND* AES?

Thanks in advance for the clarifications

Darren

1 person had this problem
Labels:
0 Helpful
34 Replies 34

fbarboza
Level 4
Level 4

‎07-07-2012 10:30 AM

Hi Darren,

The WLC allows you to configure any combination.

This may or may not work, depending if your wireless clients supports it and understands it.

But to avoid compatibility issues between the different brands of wireless clients and access points the WiFi alliance stated that we should use:

WPA version 1 or WPA with the cipher of TKIP to encrypt the traffic.

WPA version 2 with the cipher of AES to encrypt the traffic.

Any other option may or may not work depending on the wireless clients.

0 Helpful

dazza_johnson
Level 5
Level 5
In response to fbarboza

‎07-26-2012 11:19 PM

Hi guys, I feel like I have reached a solid answer on this one and I can put it to bed.

First of all, as per previous posts, it is advisabled to only enable TKIP with WPA and AES with WPA2. Otherwise, there may be problems with other clients connecting.

My summary of what I have learned (feel free to point out anything you feel is wrong);

  • AES is REQUIRED for 802.11n speeds. This is because the encryption is performed in hardware (TKIP is performed in software and hence doesn't support 802.11n).
  • WPA2 supports AES and optionally TKIP.
  • In some way, TKIP is a more complex version of WEP! It is based on the RC4 algorith buts uses much stronger keying material and offers additional security features (i.e. anti-replay).
  • AES is considered more secure than TKIP (RC4).
  • You 'can' run AES with WPA 'if' both the client and AP support it.
  • You 'can' run TKIP with WPA2 'if' both the client and AP support it.
  • Whats the difference between WPA and WPA2? WPA has a WPA-IE (Information Element) included with management frames. WPA2 has a RSN-IE included with management frames. The structure and contents of these IEs are DIFFERENT. This is why a WPA-AES client cannot associates with a WPA2-AES AP - because the IE are different.
  • The purpose of a WPA IE is generally the same as an RSN IE, but a few fields are changed or omitted.
  • WPA2 RSN-IE support things like PMKID to support fast roaming (WPA-IE don't).
  • Whats the difference between WPA-AES and WPA2-AES? As per the above, the main difference is the presence of different IEs. WPA2-AES devices support fast roaming, whereas WPA-AES devices wouldn't (the WPA-IE doesn't provide PMKID that are used for fast roaming).
  • It could be argued that there is only a slight security enhancement from WPA-AES and WPA2-AES. The encryption is the same, however there are additional fields such as the PMKID to support fast roaming. In addition, AES support is limited with WPA but commonplace with WPA2.

I hope this helps you guys. Thanks to all the previous post replies, you have all helped me learn a lot about this.

Darren

George Stefanick
VIP Alumni
VIP Alumni
In response to dazza_johnson

‎07-27-2012 05:15 AM

If i could add.

802.11n could support TKIP, but the IEEE is trying to make metworks more secure by saying, if you have N speeds we are going to make sure you secure your network properly.

WPA2-AES supports (2) roaming methods. PMK Cache and Preautenication.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Julio Padilla Cruz
Level 1
Level 1

‎01-14-2014 07:32 AM

I currently work for AT&T and i had to use in some point both due to old computers and old software that dont support WPA2. I used the WLC with LAP and it works like a charm. I would use WPA2 + EAS personally. more security.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Julio Padilla Cruz

‎01-14-2014 08:15 AM

What you should do is create two profiles with the same SSID.  That is the preferred way to have an SSID with multiple encryption methods.

WLAN Profile 1

SSID1

WPA/TKIP

WLAN Profile 2

SSID1

WPA2/AES

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card