cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
668
Views
0
Helpful
3
Replies

TKIP cipher suite + 128WEP question

spyoung
Level 1
Level 1

Hi,

Can someone clarify for me how this works in a WPA-PSK scenario:

If I configure WPA key management/authentication with TKIP cipher suite I dont explicitly need to enter a WEP key for encryption. Are the WEP encryption keys derived from the shared PMK?

Interestingly, in the cisco documentation for configuring cipher suites, it mentions config commands for TKIP alone (like I state above) or TKIP with WEP40 or WEP128, for example:

'encryption vlanX mode ciphers tkip wep128 '

how does the addition of the explicit WEP 128 or WEP40 change the setup?

Thanks,

3 Replies 3

a-vazquez
Level 6
Level 6

configure Wi-Fi Protected Access (WPA) on a Cisco Access Point (AP) without an authentication server, configure the AP with a pre-share key (WPA-PSK).

To configure the WPA-PSK, perform these steps using the GUI interface:

In the Encryption Manager window, select cipher TKIP and click Apply.

In the Service Set Identifier (SSID) Manager window, perform these steps:

Create an SSID.

Select Open Authentication.

Set the Key Management to Mandatory.

Check the WPA box.

Enter a WPA-PSK and click Apply.

Hi,

Thanks but you missed my point. Maybe I didnt make myself clear. First of all I need to make config changes using CLI only. Second, I didnt ask how to configure WPA-PSK. Instead I want to understand the resulting AP configuration differences and behaviour between these commands:

'encryption vlanX mode ciphers tkip wep128'

'encryption vlanX mode ciphers tkip'

Specifically about WEP encryption - are the WEP keys dynamically generated if either command is issued, or only the first?

If using the second command, does the TKIP cipher suite derive WEP encryption keys form the PMK?

hope thats clearer.

Thanks,

Hi Simon

I think 'encryption vlanX mode ciphers tkip wep128' is intended to use in 'WPA Migration Mode'.

WPA Migration Mode is an access point setting defined by Cisco that enables both WPA and non-WPA clients to associate to an access point using the same SSID.

In this scenario the Cisco Aironet access point is configured with WPA optional, TKIP+WEP128 or TKIP+WEP40 cipher, and a static WEP key in key slot 2 or 3

Regarding 2nd question, I don't think so.

Hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: