03-12-2015 10:41 PM - edited 07-05-2021 02:42 AM
Hi all,
for compatiility reasons I was used to enable both protocols on all the access points I prepared for customers of mine, both as regards on lightweight ones that standalone,
Now, as you all know, not only it's not best practice, but on the latest cisco products enabling both aes and tkip on the same ssid brings a lot of troubles.
I'm educating customers to get rid of old tkip only devices in order to remove it from configurations on wlc's and standalone ap's, but it's not always that easy, customers need time.
I read that a solution on wlc coud be to create two wlans with same ssid, one aes and the other tkip, but on latest releases seems not allowed to create any ssid with wpa1 only encyption.
On standalone ap's creating two ssid's on same vlan/interface is not allowed historically.
Did you find any solution for that?
03-13-2015 04:39 AM
On a single WLAN, you can allow WPA1 and WPA2clients to join,TKIP is the default value for WPA1, and AES is the default value for WPA2.
03-13-2015 05:42 AM
Sure, but I've got a lot of issues enabling both protocols on recent cisco AP's, as soon as I remove wpa1 tkip on wlc or standalone ap configuration troubles disappear, that way old tkip devices no longer can connect to wireless.
I was wondering if there is a workaround that allows old tkip devices to connect to wifi without disrupting new AES devices connections, possibly using same ssid.
03-13-2015 12:03 PM
I know your pain first hand. Ive tested this and seen the issue even did packet traces. This is a big pickle. 8.0 no longer allows just TKIP, but it does allow transitional TKIP and AES.
If you are using a WLC. Here is my suggestion. I haven't tried it but it may work. Down grade to 7.6 config your 2 network TKIP and AES then upgrade to 8.0. I think it will preserve the already existing network. Its worth a try.
03-13-2015 11:14 PM
In fact the environment it's getting me the worst pain is a recent migration from old 4400 wlc's to a vwlc that started with 8.0.100 release.
But the issue is also related to ap models, since the whole ap pool was of glorious 1242's no issue at all, only after swapping two 1242's with two brand new 1702's the pain started, and gives pain only in the 1702's coverage area.
I'm sure your trick works, but in my case it's better to get rid of the 1702's until tkip devices disappear completely.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide