
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 05:54 AM - edited 07-03-2021 09:01 PM
I have about 30 or so autonomous AP's installed on our campus. Half are 1141n and half are 1231 with radios that cannot do wpa2. Right now we are running ciphers tkip and autherntication wpa on all units.
I would like to change ciphers to aes-ccm on all units and change to wpa2 on the 1141n units but retain wpa on the older 1131's because they are not capable of wpa2.
Will clients be able to roam seemlessly around the campus without having to manually re-associate whenever they move from a 1141n unit to 1231 unit given the proposed change listed above?
Solved! Go to Solution.
- Labels:
-
Wireless Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:09 AM
Hello John,
i would say this will differ based on client software itself.
however i see you concerned as some old AP's will not have WPA version 2 commands under SSID.
can you please check in one of these old AP's , under the radio
conf t
interface dot11radio X
encryption mode cipher AES ( is this command availble)?
if yes , i believe it should be find if you do WPAv2 -AES on 1140 , and 1230 with AES encryption.
Kind regards
Talal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 06:33 AM
Hello John,
for clients to be able to roam seamlessly , then it is must to have same settings on SSID and same encryption under radio.,
if these settings are different according to AP model , then roaming will break and client will re-associate.
Kind regards
Talal
===
Don't forget to rate answers that you find useful
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:01 AM
Talal
Thanks for the answer.
I used the wording "roam seemlessly" but what I am really concerned about is the ability to re-associate without the user having to manually select something on the device/laptop. Our users are use to just walking around the campus with their laptops to another building and re-associating without any intervention on their laptops.
Would they re-associate without having to select something?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:09 AM
Hello John,
i would say this will differ based on client software itself.
however i see you concerned as some old AP's will not have WPA version 2 commands under SSID.
can you please check in one of these old AP's , under the radio
conf t
interface dot11radio X
encryption mode cipher AES ( is this command availble)?
if yes , i believe it should be find if you do WPAv2 -AES on 1140 , and 1230 with AES encryption.
Kind regards
Talal

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:16 AM
Here is the config from the older 1231 unit.
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 103 mode ciphers aes-ccm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:37 AM
Hello John,
as you have encryption AES on 1230 , it would work fine.
because with old AP's we were doing WPA1 or 2 based on encryption
if TKIP selected ->> WPA1
if AES ->> WPA2
while WPA version 2 command was not availble on SSID Level.
in summary , it would work fine ;o)
Kind regards
Talal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:26 AM
Talal,
+5 you are right on target with your responses.
___________________________________________________________
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 07:35 AM
thanks George :-)
