Reality check: WEP->WPA/PSK Migration mode

Unanswered Question
Dec 20th, 2007

I am just having a horrible time implementing Migration mode. I'm sure it's me. 8-)

I am running an autonomous 1240AG. It is currently set up as static WEP/PSK.

I would like to "add" WPA/PSK to the existing SSID.

Is this possible? or does migration mode not work with WPA/PSK?

I have studied all the docs I can find but the best I have been able to do allowed the WPA/PSK users to connect but the WEP/PSK users were locked out.

Any advice, sample configs, prozac, is greatly appreciated.

Regards,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rob.huffman Thu, 12/20/2007 - 10:30

Hi Mike,

I have never used this but I hate to see you have to pull out the Prozac :) The example certainly seems to support WPA/PSK.

Configuring WPA Migration Mode

WPA migration mode allows these client device types to associate to the access point using the same SSID:

•WPA clients capable of TKIP and authenticated key management

•802.1X-2001 clients (such as legacy LEAP clients and clients using TLS) capable of authenticated key management but not TKIP

•Static-WEP clients not capable of TKIP or authenticated key management

If all three client types associate using the same SSID, the multicast cipher suite for the SSID must be WEP. If only the first two types of clients use the same SSID the multicast key can be dynamic, but if the static-WEP clients use the SSID, the key must be static. The access point can switch automatically between a static and a dynamic group key to accommodate associated client devices. To support all three types of clients on the same SSID, you must configure the static key in key slots 2 or 3.

To set up an SSID for WPA migration mode, configure these settings:

•WPA optional

•A cipher suite containing TKIP and 40-bit or 128-bit WEP

•A static WEP key in key slot 2 or 3

This example sets the SSID migrate for WPA migration mode:

ap1200# configure terminal

ap1200(config)# interface dot11radio 0

ap1200(config-if)# encryption mode cipher tkip wep128

ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-key

ap1200(config-if)# ssid migrate

ap1200(config-ssid)# authentication open

ap1200(config-ssid)# authentication network-eap adam

ap1200(config-ssid)# authentication key-management wpa optional

ap1200(config-ssid)# wpa-psk ascii batmobile65

ap1200(config-ssid)# exit

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32auth.html#wp1048754

From Darren @ Cisco Systems;

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Expert%20Archive&topic=Wireless%20-%20Mobility&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddaee27/23#selected_message

From Ben @ Cisco Systems;

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd0dfd/2#selected_message

Hope this helps!

Rob

mikestaines Fri, 12/21/2007 - 12:59

Rob:

Thanks for the reply.

I am at a disadvantage as I am not all that familiar with IOS. I usually use the web server for configuration. 8-(

Some questions:

In your example, is Key 3 my static WEP key? (currently Key #1)

Does the "authentication open" line affect my WEP/PSK users? Currently, the config file has "shared" and the users are all wep/psk.

Can you explain the "authentication network-eap adam" line? We are not using EAP, just "personal" mode.

If it helps, attached is my current wep/psk working config file with the keys/passwords alterated.

Thanks,

Mike

rob.huffman Sun, 12/23/2007 - 07:51

Hi Mike,

As I said, I have never tried this before and sadly can't test this for you as we run Lightweight now. It seems from your first post that you were very close to having this working :) It would be most helpful to see what the "migration mode" config looked like. To me, it seems like this line may have been missing;

AP SSID is also set for "Authenticated key management- WPA- Optional". As noted by Darren from Cisco.

Let us know,

Rob

Actions

This Discussion

 

 

Trending Topics - Security & Network