Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA and WPA2 - both using TKIP and AES??

Hi all. My understanding is the following;

TKIP + 802.1x                =            WPA(1)

CCMP(AES) + 802.1x     =             WPA2

However, I notice on the Cisco WLCs that you can configure;

WPA with TKIP and/or AES (by default TKIP is enabled)

WPA2 with TKIP and/or AES (by default AES is enabled)

My questions;

  1. Why would you use WPA2 with TKIP *AND* AES?
  2. What would you use WPA and WPA2 with both using TKIP *AND* AES?

Thanks in advance for the clarifications

Darren

Everyone's tags (6)
34 REPLIES

WPA and WPA2 - both using TKIP and AES??

Hi Darren,

Your understanding is partially correct for the WPA and WPA2.

WPA supports TKIP(RC4). However, although not common, some later WPA certified cards support AES. (I've never seen this in practice in my life though. but others may faced it).

WPA2 supports CCMP(AES). However, TKIP is still supported for backward compatibility.

If one enabled WPA2 with both TKIP and AES on an access point this means that the client can connect using either TKIP or AES.

Also, WPA1/WPA2 not only work with 802.1x. PSK is also supported where you configure a pass phrase if you don't have a radius server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

WPA and WPA2 - both using TKIP and AES??

Hi there, thanks for the reply.

Regarding the comment below, I just checked my Windows 7 wireless supplicant and it supports TKIP or AES for all WPA types; WPA-PSK, WPA2-PSK, WPA-Enterprise and WPA2-Enterprise.

"WPA supports TKIP(RC4). However, although not common, some later WPA certified cards support AES. (I've never seen this in practice in my life though. but others may faced it)."

I understand TKIP and AES as concepts. But, what makes WPA-TKIP different to WPA2-TKIP? Same with AES, what makes WPA-AES different to WPA2-AES? Does the WPA2 version introduce additional features - MIC, extended key size, etc - that WPA doesn't........??

Be keen to hear more thoughts.

Darren

Re: WPA and WPA2 - both using TKIP and AES??

Darren:


WPA2-TKIP and WPA-TKIP are the same. WPA2 maintains support for TKIP for backward compatibility.

WPA-TKIP is normal. What - I think - the strange to see is WPA-AES because at the time of WPA there was no AES.

I am not aware about any special difference between the two. Devices that support WPA-TKIP though does not support AES because hardware limitations.

I think before fully ratifying and agreeing on 802.11i, there were vendors providing WPA chipsets that supports AES. Those need not necessarily be fully compatible with ratified 802.11i (WPA2), but they still support AES as encryption.

I will be also happy to hear from others about what they think.

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: WPA and WPA2 - both using TKIP and AES??

Bty, your windows supplicant, you will be using WPA2 certified client adapter.

What I never seen is a WPA clients with AES capable. i.e. AES capable client that was made before formally agreeing on the AES standard.

Rating useful replies is more useful than saying "Thank you"
New Member

WPA and WPA2 - both using TKIP and AES??

OK, so there is NO difference in WPA-TKIP and WPA2-TKIP. That is what you said, so I wonder why Cisco let you configure both independantly on the wireless controllers????

I agree with WPA-AES - what is that all about

You can also configure on Windows 7.....

Very confusing....

WPA and WPA2 - both using TKIP and AES??

Very confusing: Yes it is. I agree.

But you can consider it normal situation that is by default on most devices:

WPA2 - AES.

WPA - TKIP.

This is by default.

now, WPA2-TKIP: can be used if your client does not support AES while you want other AES capable clients connect to the same SSID. So you enable WPA2 with both AES and TKIP.

for WPA if you use TKIP that is normal. If you use WPA-AES then this is for devices that that supports AES before ratifying WPA2 (it may work with ratified version though).

If a WPA vendor (AP) used AES, you can configure your client to use WPA-AES.

You know what? I think it will work if you try to connect a client confnigured for WPA-AES to a WLAN configured for WPA2-AES (not WPA-AES).
I can't give it a try in production. But I may try it later.

You try it if you have a test AP and let us know

Rating useful replies is more useful than saying "Thank you"

WPA and WPA2 - both using TKIP and AES??

I had the chance to try it now on cisco WLC.

WPA2-AES SSID and WPA-AES client - Does not work.

WPA-AES SSID and WPA2-AES client - Does not work.

:-/

Rating useful replies is more useful than saying "Thank you"
New Member

WPA and WPA2 - both using TKIP and AES??

Thanks for testing, i guess that proves that there IS a difference between WPA-AES and WPA2-AES. There must be some fields that are different in some way.... So, can you test if a client in WPA-TKIP can connect to WPA2-TKIP SSID? This will prove the backward compatibility of TKIP that you mentioned before....

Thanks for the collaboration so far :-)

WPA and WPA2 - both using TKIP and AES??

Yes. you are correct.
I brough the correct answer to you after collecting wireless sniffer capture.

For WPA2, therei s a field in the 802.11 packet that is called RSN information element. This is not available in WPA.

So, if your clients are old (before WPA2) but they can use AES, you need to use WPA-AES with them because if you use WPA2-AES they will fail to connect because of the RSN information in the packet that they do not understand.

Wireless Beacon Packet that uses WPA-AES:

Wireless Beacon Packet for a WLAN that is using WPA2-AES:

To Answer: Why windows 7 has the ability to connect to WPA-AES, this is because if the vendor (the AP) supports only WPA (not WPA2) and also supports AES.

I hope this answers the questoin.

Amjad

Rating useful replies is more useful than saying "Thank you"
Hall of Fame Super Silver

Re: WPA and WPA2 - both using TKIP and AES??

Just to add my 2 cents, I never would setup a WLAN for both at the same time. So for basics... You have devices like windows 7 that you can configure a profile using various methods (wpa-aes, wpa-tkip, etc). Sometimes that does work, but here is the catch. Some client give you only the option to choose WPA-PSK, which means WPA-TKIP, WPA-ENTERPRISE, which means WPA-802.1x, WPA2-PSK, which is WPA2-AES and WPA2-ENTERPRISE, which is WPA2-802.1x. So you see what is the default encryption method is and why it doesn't work all the time when you mix it up.

Also, many devices don't like when you have both WPA-TKIP and WPA2-AES configured in a WLAN. This I know from being on the field

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Re: WPA and WPA2 - both using TKIP and AES??

Scott couldnt be more right. In fact, older and some newer clients freak out when they see more than 1 RSN element. While other devices, like the cisco wifi phones, will actually pick the more secure security setting when more than 1 RSN is offered.

I just had a situation were we upgarded a network and allowed WPA/TKIP and WPA2/AES Enterprise on a SSID. The Silex bridges refused to asscoaite and only would when 1 RSN was offered. While all the other devices worked fine.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: WPA and WPA2 - both using TKIP and AES??

+5 Scott!

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

WPA and WPA2 - both using TKIP and AES??

Only WPA-tkip & wpa2-aes are tested & certified as part of wifi certification, Enabling both mode is not tested as well.

Enabling both WPA-tkip & wpa2-aes should be avoided on infrastructure device when there is decrypt issues because some clients can't do well on mixed mode(which is not a standard). however, it works well with specific vendor infrastructure and their own clients Ex: cisco phone on cisco wlc, Motorola handhelds with their controllers goes well since this combination is tested in their respective labs.

By enabling all possible WPA & WPA2 on WLAN would burden the cpu of AP to specifically encrypt & decrypt them & it should be avoided on high density deployment.

New Member

WPA and WPA2 - both using TKIP and AES??

Thanks guys for the comments.

I have always left WPA-TKIP and WPA2-AES enabled as per the defaults, I asked this question more out of curiousity.

As per the excellent work by Amjad, WPA2 includes the RSN information element. Therefore the difference between the WPA-AES and WPA2-AES is the content of the RSN information element. I will have to read the 802.11i standard to understand the value that this gives to us......

Thanks for the comments guys.

Hall of Fame Super Gold

WPA and WPA2 - both using TKIP and AES??

Also, many devices don't like when you have both WPA-TKIP and WPA2-AES configured in a WLAN. 

Like iDevices.

WPA and WPA2 - both using TKIP and AES??

One thing that I found about IE:

on WLC CLI when I want to see the WLAN configuratin (show wlan ), I can see the following:

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Enabled

         TKIP Cipher............................. Enabled

         AES Cipher.............................. Disabled

      WPA2 (RSN IE).............................. Disabled

Cisco writes explicitly that with WPA the SSN is used. while RSN is used with WPA2 with either AES or TKIP.

Rating useful replies is more useful than saying "Thank you"
Hall of Fame Super Silver

Re: WPA and WPA2 - both using TKIP and AES??

Here is a good read

https://learningnetwork.cisco.com/thread/4143

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WPA and WPA2 - both using TKIP and AES??

Hi all. I have re-read the comments in the post and looked at the links provided - all of which have been very useful. We know that the packet structure of WPA differs to WPA2 with the RSN information element.

I have also done private research on this using Cisco books and the internet. I have deduced a conslusion. I have not read anything that explicitly backs up my theory, but it make sense to me

I'd be very interested to hear your comments guys. TKIP translates to WPA(1) and CCMP translates to WPA2 for the purpose of this post.

TKIP itself (put to one side PSK and 802.1x for simplicitly) is a method of creating a 'secure' WEP seed. I think most of us will agree with this. In addition, it offers more security features - a hash, etc. So, TKIP has a mechanism to create a secure WEP seed AND has a new packet format. What do we do with this WEP seed? By default, the secure WEP seed is fed into the RC4 algorithm to generate the encryption key which is used to encrypt the user data. This encrypted data is then inserted into the TKIP packet.

BUT, if the AES algorithm was selected then I believe that the secure WEP seed would be fed into the AES algorithm to generate the key which is used to encrypt the user data. In other words, with TKIP the actual encryption can be either RC4 (the default) or AES - hence the options available on the controller......

Similarly, CCMP is the overall framework with its own frame format. The encryption algorithm that you decide to use is up to you - either AES or RC4. Obviously, the way the encryption key is generated follows the CCMP protocol, but once you have this key I believe you can then use AES or RC4 to actually create the cipher text (encrypted data) and insert this into the CCMP packet.

If my theory above is correct, I believe the WLAN controller GUI is not accurate. It should be as per the attached screenshot;

I'm tempted to open a TAC case on this for the official low-down.....

Hall of Fame Super Silver

Re: WPA and WPA2 - both using TKIP and AES??

dazza,

Try to look at it also from other vendors. Most, if not all, specify WPATkip or WPA2AES. I don't think personally there is anything wrong, it just the way it has been for a long time:) Here is a thread with Eric N from TAC, explaining the difference between wpa and wpa2.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

WPA and WPA2 - both using TKIP and AES??

Hi Scott. When the other vendors specify WPA/TKIP and WPA2/AES - is that simply because they only support the defaults (WPA with RC4 and WPA2 with AES)??? Maybe they don't support WPA with AES for example, or WPA2 with RC4 like Cisco do.....??

Hall of Fame Super Silver

Re: WPA and WPA2 - both using TKIP and AES??

Well the thing is, there are vendors like Microsoft and some handheld devices that give you all the options. Now most of the time it's the OS that allows you to specify it but who know want the actual wireless card can do. I understand what you are saying, but just imagine if they were to change that... Soooo many people should get confused:). At least you have an understand of both.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

WPA and WPA2 - both using TKIP and AES??

Little confused by the term "WEP seed". But its funny you mention this becuase I would tend to agree with you, on a few items.

Lets get back to basics.

WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.

WIFI Alliance implemented WPA TKIP, because wep was broken, hence why you see WPA in devices today. At that time devices (chips) couldnt handle AES.

TKIP and CCMP are both protocols that encrypt data. The algorithm they use are TKIP(RC4) and CCMP(AES).  RC4 is a stream and AES is a block.

Folks normally dont get this deep. Are you studing for something ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

WPA and WPA2 - both using TKIP and AES??

Hi George. The 'WEP Seed' is used in the Cisco book I'm using that talks about TKIP. In WEP the WEP seed was created using the IV(24-bit)+WEP key(40-bit or 104-bit), that was then fed into RC4 to generate the encryption key. In TKIP, a much more convulated process is used to generate the resultant 128-bit WEP Seed, which is then fed into the RC4 process....

I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?

I'm really interested in Cisco wireless security, hence why I am being so anal about this query. I have opened a TAC case because a customer enquired about this recently... I will let you know the result!

Re: WPA and WPA2 - both using TKIP and AES??

What book are you reading the 802.11 Wireless Security book from 2004?

I agree with the back to basics sentences you write. I'm just trying to get a handle on how AES fits in with WPA and TKIP with WPA2...... If using WPA with AES and WPA2 with AES what is the difference? Packet structure? Generation of the encryption key?


WPA and WPA 2 are identical for all intensive purposes. No one has or could point out to me the difference.

Standard (which means what vendors should follow, but sometimes doesnt) states WPA2 AES, but TKIP (optinal). Both are RSN.

Let me further add, why is AES and TKIP RSN ? It becuase they share mutal authentication (4 way handshake)

You ever read the CWSP ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: WPA and WPA2 - both using TKIP and AES??

BTW ---

I do the same. If I read something and it doesnt make sense and we have smartnet --- TAC CASE ..

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WPA and WPA2 - both using TKIP and AES??

George Stefanick wrote:

WPA and WPA2 as far as a process are identical. 802.11-2007 standard tells us that WPA2 should use AES or TKIP. Both are consider RSN. Although, most sniffers will not show RSN element when TKIP is used.

Geroge:

When using WPA2-TKIP the RSN element is there:

When using WPA with either AES or TKIP there is no RSN IE appears.

Rating useful replies is more useful than saying "Thank you"

Re: WPA and WPA2 - both using TKIP and AES??

Amajd

How are ya buddy? My mention is that not all sniffers will state that. I looks like the one you are using does.

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: WPA and WPA2 - both using TKIP and AES??

Hey George, I am doing great. what about you?

I got your idea. thanks for explanation.

BTW, I sent you a private message two days ago, have you seen it?

Rating useful replies is more useful than saying "Thank you"

WPA and WPA2 - both using TKIP and AES??

Amjad -- Sorry I didnt see your post till now. I responded ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
73674
Views
64
Helpful
34
Replies