WPA with AES, is it vulnerable?

Unanswered Question
Jan 14th, 2009
User Badges:

On the 4402 model wireless LAN controller, under the WLANs -> Security -> Layer2, it is possible to select WPA Policy and WPA Encrytion "AES".

Does anyone know if this combination is vulnerable to the recent TKIP exploit?

I have WPA Encryption "TKIP" explicitly unchecked, but I thought I read somewhere that TKIP might still be used for backward compatibility. Or that WPA1 with AES might not have been implemented in according to the final WPA2 definition.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scottmac Thu, 01/15/2009 - 18:34
User Badges:
  • Green, 3000 points or more

WPA with AES is still very strong, and not subject to the vulnerabilities of TKIP.

Good Luck


c-pollock Fri, 01/16/2009 - 04:00
User Badges:

Hi Scott,

Thanks for your reply.

I just re-read this from the original Cisco Security Response where it says:

"TKIP is the mandatory cipher suite for the first version of the Wi-Fi Protected Access (WPA) specification and it is an option for the Wi-Fi Protected Access version 2 (WPA2) standard.".

Even though we are using WPA(1) where the specification says it is mandatory to include TKIP in the "cipher suite", we are implementing AES and have explicitly disabled TKIP.

I interpret this to mean that we are not vulnerable.



Scott Fella Fri, 01/16/2009 - 18:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

WPA/Tkip PSK has been compromised as you know, but setting WPA/AES PSK has not been CRACKED....

The only thing is that some devices do not let you setup wpa/aes. I have seen devices that allow you to only either set wpa or the aes. When wpa is the only option, then tkip is automatically set. When TKIP/AES is the only option and you choose AES, then WPA2 is default.

generaljoe Sun, 01/18/2009 - 02:34
User Badges:

Even though TKIP is vulnerable, the atttacks are dictionary-based. If you use a 63-character random string it is still highly unlikely that your TKIP network will be cracked. It's more likely that someone will steal the key via physical means...


This Discussion



Trending Topics - Security & Network