WPA2 and WEP - can they coexist on a Cisco device?

ctisupport · ‎09-29-2011

I have a series of APs at a client that have WEP 128bit for part fo their production area. They have old software on wireless machines that can not handle WPA or WPA2 yet. However, we are starting to migrate equipment, and iPads have been introduced into the environment, and they are not playing well with the WEP. The APs in question are Aironet 1142, 1132, and 1242s. Can these broadcast multiple SSIDs with separate encryption? Anything connecting to these APs would all go to the same network. However, I'd want one SSID - HAPPY23 - to have 128bit WEP, and the other SSID - HEFTY76 - to have WPA2/PSK. Is this possible, and if so, how?

Stephen Rodriguez · ‎09-29-2011

Wayne,

You can at least do WPA/TKIP with WEP, it might work with WPA2 as well, but I've never tested.

http://www.cisco.com/en/US/partner/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43auth.html#wp1048754

This goes over how to configure what's called 'Migration Mode'. This allows you to have dual encryptions on a single SSID.

HTH,
Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the quesiton as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

ctisupport · ‎09-29-2011

I am not seeing Migration Mode in the document. I see how to configure multiple SSIDs, but not how to apply different encryption (i.e. WPA/PSK vs WEP) to those SSIDs.

Stephen Rodriguez · ‎09-29-2011

that link should have taken you direclty to the migration mode, but here it is..

Configuring WPA Migration Mode

WPA migration mode allows these client device types to associate to the access point using the same SSID:

•WPA clients capable of TKIP and authenticated key management

•802.1X-2001 clients (such as legacy LEAP clients and clients using TLS) capable of authenticated key management but not TKIP

•Static-WEP clients not capable of TKIP or authenticated key management

If all three client types associate using the same SSID, the multicast cipher suite for the SSID must be WEP. If only the first two types of clients use the same SSID the multicast key can be dynamic, but if the static-WEP clients use the SSID, the key must be static. The access point can switch automatically between a static and a dynamic group key to accommodate associated client devices. To support all three types of clients on the same SSID, you must configure the static key in key slots 2 or 3.

To set up an SSID for WPA migration mode, configure these settings:

•WPA optional

•A cipher suite containing TKIP and 40-bit or 128-bit WEP

•A static WEP key in key slot 2 or 3

This example sets the SSID migrate for WPA migration mode:

ap1200# configure terminal

ap1200(config-if)# ssid migrate

ap1200(config-if)# encryption mode cipher tkip wep128

ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-key

ap1200(config-ssid)# authentication open

ap1200(config-ssid)# authentication network-eap adam

ap1200(config-ssid)# authentication key-management wpa optional

ap1200(config-ssid)# wpa-psk ascii batmobile65

ap1200(config)# interface dot11radio 0

ap1200(config-if)# ssid migrate

ap1200(config-ssid)# end

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered