- Gold, 750 points or more
What is WPA mixed mode operation, and how do I configure it in my AP?
WPA stands for Wi-Fi Protected Access. There are two versions of WPA: WPA and WPA2.
WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and Small Office/Home Office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA is fully supported by the Cisco Wireless Security Suite and the Cisco Structured Wireless-Aware Network(SWAN).
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite and by Cisco SWAN.
WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.
The AP must support WPA2 mixed mode to use this option. This means it should have a G radio. These Cisco Aironet products support WPA2:
- 1130AG series and 1230AG series APs support WPA2
- Cisco Aironet 1100 series, 1200 series and 1300 series 802.11g radios support WPA2 with a Cisco IOS Software upgrade through Cisco IOS Software Release 12.3(2)JA or later
To configure WPA or WPA2 mixed mode, perform these steps:
- Go to > Security > Encryption Manager, and select AES CCMP+TKIP from the Ciphers drop down menu.
- Make sure that your SSID is configured for WPA mandatory (not optional). Go to Security > SSID Manager, and select the SSID that should be used.
- Scroll down to the Authenticated Key Management section and select Mandatory in the Key Management pull down menu. Also make sure to check the WPA box.
Comparison of WPA and WPA2 Mode Types
|Enterprise Mode (Business, Government, Education)|
|Personal Mode (SOHO, Home/Personal)|
In Enterprise mode of operation both WPA and WPA2 use 802.1X/EAP for authentication. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static encryption keys.With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN products.
Supported types include
Another benefit of 802.1X authentication is centralized management for WLAN user groups, including policy-based key rotation, dynamic key assignment, dynamic VLAN assignment, and SSID restriction. These features rotate the encryption keys.
In the Personal mode of operation, a pre-shared key (password) is used for authentication. Personal mode requires only an access point and client device, while Enterprise mode typically requires a RADIUS or other authentication server on the network.
This document provides examples for configuring WPA2 (Enterprise mode) and WPA2-PSK (Personal mode) in a Cisco Unified Wireless network.
Configure / Configuration issues
Technical product specification / features
CKIP / TKIP