Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
3
Replies

WPA2\AES and PSK

stheriault99
Level 1
Level 1

‎04-24-2009 04:21 AM - edited ‎07-03-2021 05:29 PM

We have a situation that we need to implement WPA2, AES with PSK on our WLC. If I put a complex passphrase of 63 ASCI characters, how safe is my wireless network? After reading multiple forums, it seems that is quite safe, even if this setup is design for a home or medium office.

Your feedback is very much appreciated.

Thank you.

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎04-24-2009 04:34 AM

Well the maximum length is 63, but of course the more characters the more secure. WPA2/AES is very difficult to crack anyways..... With WPA/TKIP, using more characters helps since that has already been compromised.

Make sure that your devices support 63 characters.

Here is a link that talks about WPAPSK;

http://blogs.zdnet.com/Ou/?p=127

If your choice is only to use PSK, then WPA2/AES. If you have a radius server, then it would be better to use 802.1x or WPA2-Enterprise as it is called in some software.

-Scott
*** Please rate helpful posts ***
0 Helpful

gamccall
Level 4
Level 4

‎04-24-2009 05:38 AM

As far as the security algorithm itself is concerned, a very long, random PSK is extremely secure.

However, there are human factor issues that come into play: that long PSK has to be written down somewhere and that location must be kept secure; the number of people who have access to the key must be limited and all of them must carefully maintain the security of the key; if the key is compromised you must manually change the keys on all clients; etc.

Another issue is that with a PSK you have no way to map a given wireless connection to any individual user, as you would with 802.1X. So if an EAP account is compromised you at least know who to yell at, whereas if your key is compromised you have no clue.

Nobody's going to crack a 63-character passphrase using over-the-air tools. But they won't bother. They'll just find a way to get into your helpdesk office and take a picture of the whiteboard where it's written down.

0 Helpful

grzegorz.ciolek
Level 1
Level 1
In response to gamccall

‎04-27-2009 11:09 PM

Hi,

If this system will work with MS WZC supplicants, easy way to get psk - extract it from Windows registry.

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card