WPA + TKIP end of support

liboucher · ‎09-12-2018

Hello,

My client cannot have his TKIP clients work on 2802 APs on an SSID configured with WPA+tkip and WPA2 + AES, even though the documentation says they should.

We found a workaround but I was wondering when I could tell the client that these old protocols would not be supported any more (as we could not have them work anyway on these APs) by Cisco.

Do you happen to have any information on this ?

Thank you

Anne
Technical Support

Rasika Nayanajith · ‎09-12-2018

Hi

See below

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_cisco_aironet_series_2800_3800_access_point_deployment_guide/b_cisco_aironet_series_2800_3800_access_point_deployment_guide_chapter_01100.html

Does this product support TKIP?

Customers should be discouraged from running legacy TKIP as that feature has been deprecated by the Wi-Fi Alliance. Cisco understands there are healthcare customers using legacy equipment with a need for TKIP support. The 1830, 1850, 2800 and 3800 does not currently support TKIP but there are plans to support it in the 8.3MR1 release.

HTH

Rasika

*** Pls rate all useful responses ***

liboucher · ‎09-13-2018

Hello,

Thank you both for your answer.

I had read your response, Rasika before, when I looked for information about this and upgrade my client's controller to v 8.3.141. (I am a fan of your blog by the way ;) ).. But it is not working better....

It might be due to 802.1x used on the SSID, as Leo suggested I will test in lab with PSK instead.

I was wondering, when on the documentation, it is written:

Note

WPA +TKIP and TKIP + AES protocols are supported.

Does it mean WPA + TKIP alone on the SSID should work or that I compulsory need to have WPA+TKIP+WPA2+AES on the SSID ?

Anne

Leo Laohoo · ‎09-13-2018

@liboucher wrote:

as Leo suggested I will test in lab with PSK instead.

It's Private PSK (and not just "PSK"). It's a new standard and feature.

Leo Laohoo · ‎09-12-2018

If you've got ISE then try Private PSK.

Scott Fella · ‎09-13-2018

The issue with WPA/TKIP is that client will not be able to connect using 802.11ac as WPA2/AES is a requirement. When migrating off WPA/TKIP to WPA2/AES, you don’t just add this to an existing wlan, but in stead you create a new WLAN that has the same SSID, but a different WLAN profile name. Then you start to migrate devices that support WPA2/AES to that new SSID.

Problem with adding WPA2/AES or just changing what was there is that clients will end up failing because it can only perform one type of encryption. Since the customer devices already is using WPA/TKIP you need to not introduce AES.

If the devices don’t connect to WPA/TKIP after an upgrade, then this should of been tested out prior and called out as a risk. Older devices that are in production have a risk of not working well with upgraded code or equipment because at times “something” changes. This is why updating device drivers are important when moving away from old wireless hardware to new.

Your best bet is to create a new wlan, make sure the drivers in like laptops and or other devices are the latest or callmout the risk and migrate to WPA2/AES.

-Scott
*** Please rate helpful posts ***