TKIP cipher suite + 128WEP question

Unanswered Question
Oct 27th, 2005
User Badges:


Can someone clarify for me how this works in a WPA-PSK scenario:

If I configure WPA key management/authentication with TKIP cipher suite I dont explicitly need to enter a WEP key for encryption. Are the WEP encryption keys derived from the shared PMK?

Interestingly, in the cisco documentation for configuring cipher suites, it mentions config commands for TKIP alone (like I state above) or TKIP with WEP40 or WEP128, for example:

'encryption vlanX mode ciphers tkip wep128 '

how does the addition of the explicit WEP 128 or WEP40 change the setup?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a-vazquez Thu, 11/03/2005 - 07:10
User Badges:
  • Silver, 250 points or more

configure Wi-Fi Protected Access (WPA) on a Cisco Access Point (AP) without an authentication server, configure the AP with a pre-share key (WPA-PSK).

To configure the WPA-PSK, perform these steps using the GUI interface:

In the Encryption Manager window, select cipher TKIP and click Apply.

In the Service Set Identifier (SSID) Manager window, perform these steps:

Create an SSID.

Select Open Authentication.

Set the Key Management to Mandatory.

Check the WPA box.

Enter a WPA-PSK and click Apply.

spyoung Thu, 11/03/2005 - 09:35
User Badges:


Thanks but you missed my point. Maybe I didnt make myself clear. First of all I need to make config changes using CLI only. Second, I didnt ask how to configure WPA-PSK. Instead I want to understand the resulting AP configuration differences and behaviour between these commands:

'encryption vlanX mode ciphers tkip wep128'

'encryption vlanX mode ciphers tkip'

Specifically about WEP encryption - are the WEP keys dynamically generated if either command is issued, or only the first?

If using the second command, does the TKIP cipher suite derive WEP encryption keys form the PMK?

hope thats clearer.


jolmo Fri, 11/04/2005 - 03:52
User Badges:
  • Silver, 250 points or more

Hi Simon

I think 'encryption vlanX mode ciphers tkip wep128' is intended to use in 'WPA Migration Mode'.

WPA Migration Mode is an access point setting defined by Cisco that enables both WPA and non-WPA clients to associate to an access point using the same SSID.

In this scenario the Cisco Aironet access point is configured with WPA optional, TKIP+WEP128 or TKIP+WEP40 cipher, and a static WEP key in key slot 2 or 3

Regarding 2nd question, I don't think so.

Hope this helps


This Discussion



Trending Topics - Security & Network