Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2098
Views
0
Helpful
4
Replies

WPA2/AES and WPA/TKIP

Massimo Baschieri
Level 3
Level 3

‎03-12-2015 10:41 PM - edited ‎07-05-2021 02:42 AM

Hi all,

for compatiility reasons I was used to enable both protocols on all the access points I prepared for customers of mine, both as regards on lightweight ones that standalone,

Now, as you all know, not only it's not best practice, but on the latest cisco products enabling both aes and tkip on the same ssid brings a lot of troubles.

I'm educating customers to get rid of old tkip only devices in order to remove it from configurations on wlc's and standalone ap's, but it's not always that easy, customers need time.

I read that a solution on wlc coud be to create two wlans with same ssid, one aes and the other tkip, but on latest releases seems not allowed to create any ssid with wpa1 only encyption.

On standalone ap's creating two ssid's on same vlan/interface is not allowed historically.

Did you find any solution for that?

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎03-13-2015 04:39 AM

On a single WLAN, you can allow WPA1 and WPA2clients to join,TKIP is the default value for WPA1, and AES is the default value for WPA2.

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Saurav Lodh

‎03-13-2015 05:42 AM

Sure, but I've got a lot of issues enabling both protocols on recent cisco AP's, as soon as I remove wpa1 tkip on wlc or standalone ap configuration troubles disappear, that way old tkip devices no longer can connect to wireless.

I was wondering if there is a workaround that allows old tkip devices to connect to wifi without disrupting new AES devices connections, possibly using same ssid.

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Massimo Baschieri

‎03-13-2015 12:03 PM

I know your pain first hand. Ive tested this and seen the issue even did packet traces. This is a big pickle. 8.0 no longer allows just TKIP, but it does allow transitional TKIP and AES.

 

If you are using a WLC. Here is my suggestion. I haven't tried it but it may work. Down grade to 7.6 config your 2 network TKIP and AES then upgrade to 8.0. I think it will preserve the already existing network. Its worth a try. 

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to George Stefanick

‎03-13-2015 11:14 PM

In fact the environment it's getting me the worst pain is a recent migration from old 4400 wlc's to a vwlc that started with 8.0.100 release.

But the issue is also related to ap models, since the whole ap pool was of glorious 1242's no issue at all, only after swapping two 1242's with two brand new 1702's the pain started, and gives pain only in the 1702's coverage area.

I'm sure your trick works, but in my case it's better to get rid of the 1702's until tkip devices disappear completely.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card