Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

AES-CCMP Cipher is not supported with WPA Version 1

Hi,

I have Cisco AP1142N autonomous that already working with this configuration:

dot11 ssid ExampleSSID

   vlan 998

   authentication open

   authentication key-management wpa version 1

   mbssid guest-mode

   wpa-psk ascii 7 045802150C2E1D1C5A4D

interface Dot11Radio0

no ip address

no ip route-cache

encryption mode ciphers aes-ccm tkip

encryption vlan 998 mode ciphers tkip

ssid ExampleSSID

!

antenna gain 0

mbssid

station-role root

!

When I try to change the vlan 998 encryption to AES with input "encryption vlan 998 mode ciphers aes-ccm" in interface Dot11Radio0, I keep getting this error message:

"AES-CCMP Cipher is not supported with WPA Version 1"

My linksys AP and even my chinese AP can manage WPA version 1 with AES. I really don't understand why the Cisco 1142 cannot. Is there any way that I can configure this Cisco AP1142N autonomous with WPA1-AES ?

Thank You.

10 REPLIES
Bronze

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi ,

Remember that any brand of access point will have its own encryption combinations to use and to which method to link them, but this may or may not work if the wireless clients supports it or not and also since the wireless client cannot do 2 encryption methods at the same time.

The thing is that to grantee compatibility between different brands of access points and wireless clients the IEEE stated that if you work with WPA version 1 we will use the cipher of TKIP and if you want to work with WPA version 2 we will use the cipher of AES-CCM.

Since are access points are compliant with the IEEE this is way you are getting an error message that does not allow you to configure WPA version 1 with AES-CCMP.

Also as a side not for N data rates to work on the 1140 N access point you will need to have no encryption configured or only WPA version 2 with AES-CCM since as per the N standard only WPA version 2 with AES-CCM supports N data rates.

If you would like to use different encryption methods, then the correct configurtaion would be to configure VLANs on the AP and link each SSID to the corresponding subnet or VLAN and on each SSID or VLAN linked to the required encryption method.

Re: AES-CCMP Cipher is not supported with WPA Version 1

Fbarboza:

We had a discussion before somewhere in this forum about the difference between wpa-tkip\wpa-aes and wpa2-tkip/wpa2-aes in wireless controller config. The conclusion was that with wpa2 the RSN IE is exist while this IE is not exist with wpa regardless of what encryption (tkip or aes) is usd.

The question would be here why this is not aplable here with the autonomous APs? I expected wpa-aes to work fine with 1140 ap although 802.11n is not supported?

More, do you mean that with mbssid/vlans the wpa-aes will be configured without a problem on the AP?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
Bronze

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi,

WPA version 1 uses the encryption cipher of TKIP and WPA version 2 uses the cipher of AES as per compliance with the IEEE.

To use AES-CCM on the unit just change the encryption method of WPA version 1 to version 2 and then change the cipher to AES-CCM.

The option of using multiple SSIDs what it does is allow you to use an encryption method on one SSID and a different encryption method on a different SSID.

In either case working with one SSID or working with several SSIDs if you want to use AES-CCM as the cipher than you will need to use WPA version 2.

Now if you want to leave WPA version 1 configured and use AES-CCM then you can configure AES-CCM + TKIP and this may or may not work depending on the wireless clients if it supprots it.

The command you will need to use is "encryption mode ciphers aes-ccm tkip " under the radio interface globaly if working with one SSID or under the specific VLAN if working with VLANs.

"encryption vlan 998 encryption mode ciphers aes-ccm tkip "

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi.

Thank you. This was my understanding.

But the question is: with wlc you can configure wpa2-tkip only (without enabling wpa2-aes), why this is not applicable to autonomous APs?

I am aware about client issues in such situation but as it can be done onwlc why not on standalone ap?

Thanks

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
Bronze

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi,

The WLC is not IOS based vrs the AP in stand alone mode that it is.

The WLC allows us to connfigure different options this would be more a develper question thar way the IOS software allows it and the WLC software not.

I just run a check and configured an 1140 access point and was able to configure the GUI to use WPA version 1, with AES-CCMP

dot11 ssid TEST

   authentication open

   authentication key-management wpa version 1

   wpa-psk ascii 7 070C285F4D06485744465E

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

since you have VLANs configured on the AP checking on the configuration of the AP, remove the command

encryption mode ciphers aes-ccm tkip using the command no encryption mode ciphers aes-ccm tkip and then just try

encryption vlan 998 mode ciphers aes-ccm

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi

Thank You fbarboza for the answer.

I tried your configuration, but when I tried to turn on the SSID with this command:

..

interface dot11radio 0

ssid TEST

..

The error "AES-CCMP Cipher is not supported with WPA Version 1" showed up again.

Do I have to use WLC and lightweight AP to get what I want? I really hope there are others possibilities that I can do with my autonomous AP

Hall of Fame Super Silver

Re: AES-CCMP Cipher is not supported with WPA Version 1

What code were you running fbarboza? Maybe you need to run the same code in order to do what you want.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
Bronze

Re: AES-CCMP Cipher is not supported with WPA Version 1

The code that the test access point I used is 12.4(21a)JA1 and i configured it via the GUI.

I will try later to configure it over the CLI and see if I get the error message.

Bronze

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi,

I just configured an access point via the CLI which has no VLANs or different SSIDs set just one SSID known as test and using the encryption command on the config t of the global interface and got no errors at all.

User Access Verification
 
Username: Cisco
Password:
AP1142AG.246>ena
Password:
AP1142AG.246#
AP1142AG.246#config t
Enter configuration commands, one per line. End with CNTL/Z.
AP1142AG.246(config)#dot11 ssid TEST
AP1142AG.246(config-ssid)#
AP1142AG.246(config-ssid)#
AP1142AG.246(config-ssid)#authentication open
AP1142AG.246(config-ssid)#authentication key-man
AP1142AG.246(config-ssid)#authentication key-management wpa version 1
AP1142AG.246(config-ssid)#wpa-psk
AP1142AG.246(config-ssid)#wpa-psk as
AP1142AG.246(config-ssid)#wpa-psk ascii 7 070C285F4D06485744465E
AP1142AG.246(config-ssid)#exit
AP1142AG.246(config)#exit
AP1142AG.246#config t
Enter configuration commands, one per line. End with CNTL/Z.
AP1142AG.246(config)#int dot11 rad
AP1142AG.246(config)#int dot11ra
AP1142AG.246(config)#int dot11radio 0
AP1142AG.246(config-if)#encryption mode ciphers aes-ccm
AP1142AG.246(config-if)#exit
AP1142AG.246(config)#exit
AP1142AG.246#
 
 

show run:

AP1142AG.246#show run

Building configuration...

Current configuration : 1522 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1142AG.246

!

enable secret 5 $1$svcK$heK3ptEJ/Aj3ISsXnpll9.

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid TEST

   authentication open

   authentication key-management wpa version 1

   wpa-psk ascii 7 070C285F4D06485744465E

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

AP1142AG.246#

Are you configuring the unit via the CLI or GUI once you get the error message?

Re: AES-CCMP Cipher is not supported with WPA Version 1

Hi,

thank you all of you, for your respond..

fbarboza wrote:

Hi,

I just configured an access point via the CLI which has no VLANs or different SSIDs set just one SSID known as test and using the encryption command on the config t of the global interface and got no errors at all.

User Access Verification
 
Username: Cisco
Password:
AP1142AG.246>ena
Password:
AP1142AG.246#
AP1142AG.246#config t
Enter configuration commands, one per line. End with CNTL/Z.
AP1142AG.246(config)#dot11 ssid TEST
AP1142AG.246(config-ssid)#
AP1142AG.246(config-ssid)#
AP1142AG.246(config-ssid)#authentication open
AP1142AG.246(config-ssid)#authentication key-man
AP1142AG.246(config-ssid)#authentication key-management wpa version 1
AP1142AG.246(config-ssid)#wpa-psk
AP1142AG.246(config-ssid)#wpa-psk as
AP1142AG.246(config-ssid)#wpa-psk ascii 7 070C285F4D06485744465E
AP1142AG.246(config-ssid)#exit
AP1142AG.246(config)#exit
AP1142AG.246#config t
Enter configuration commands, one per line. End with CNTL/Z.
AP1142AG.246(config)#int dot11 rad
AP1142AG.246(config)#int dot11ra
AP1142AG.246(config)#int dot11radio 0
AP1142AG.246(config-if)#encryption mode ciphers aes-ccm
AP1142AG.246(config-if)#exit
AP1142AG.246(config)#exit
AP1142AG.246#
 
 

show run:

AP1142AG.246#show run

Building configuration...

Current configuration : 1522 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1142AG.246

!

enable secret 5 $1$svcK$heK3ptEJ/Aj3ISsXnpll9.

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid TEST

   authentication open

   authentication key-management wpa version 1

   wpa-psk ascii 7 070C285F4D06485744465E

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

AP1142AG.246#

Are you configuring the unit via the CLI or GUI once you get the error message?

fbarboza, I just see your configuration and I wonder if the ssid TEST will show on your computer without this command:

interface dot11radio 0

ssid TEST

I have copied your configuration immediately, and the ssid didn't show up on my PC. When I type this comment,

interface dot11radio 0

ssid TEST

I immediately got an error like usual. "AES-CCMP Cipher is not supported with WPA Version 1"

In response to your question before, yes, I used CLI and got that error. I also tried using GUI, but as a result, the cypher didn't change, still in tkip mode.

Thank You before.

3503
Views
0
Helpful
10
Replies
CreatePlease login to create content