Solved: WPA and WPA2 mixed environment

john.wright · ‎11-02-2011

I have about 30 or so autonomous AP's installed on our campus. Half are 1141n and half are 1231 with radios that cannot do wpa2. Right now we are running ciphers tkip and autherntication wpa on all units.

I would like to change ciphers to aes-ccm on all units and change to wpa2 on the 1141n units but retain wpa on the older 1131's because they are not capable of wpa2.

Will clients be able to roam seemlessly around the campus without having to manually re-associate whenever they move from a 1141n unit to 1231 unit given the proposed change listed above?

tfraij · ‎11-02-2011

Hello John,

i would say this will differ based on client software itself.

however i see you concerned as some old AP's will not have WPA version 2 commands under SSID.

can you please check in one of these old AP's , under the radio

conf t

interface dot11radio X

encryption mode cipher AES ( is this command availble)?

if yes , i believe it should be find if you do WPAv2 -AES on 1140 , and 1230 with AES encryption.

Kind regards

Talal

View solution in original post

tfraij · ‎11-02-2011

Hello John,

for clients to be able to roam seamlessly , then it is must to have same settings on SSID and same encryption under radio.,

if these settings are different according to AP model , then roaming will break and client will re-associate.

Kind regards

Talal

===

Don't forget to rate answers that you find useful

please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

john.wright · ‎11-02-2011

Talal

Thanks for the answer.

I used the wording "roam seemlessly" but what I am really concerned about is the ability to re-associate without the user having to manually select something on the device/laptop. Our users are use to just walking around the campus with their laptops to another building and re-associating without any intervention on their laptops.

Would they re-associate without having to select something?

tfraij · ‎11-02-2011

Hello John,

i would say this will differ based on client software itself.

however i see you concerned as some old AP's will not have WPA version 2 commands under SSID.

can you please check in one of these old AP's , under the radio

conf t

interface dot11radio X

encryption mode cipher AES ( is this command availble)?

if yes , i believe it should be find if you do WPAv2 -AES on 1140 , and 1230 with AES encryption.

Kind regards

Talal

john.wright · ‎11-02-2011

Here is the config from the older 1231 unit.

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 103 mode ciphers aes-ccm

tfraij · ‎11-02-2011

Hello John,

as you have encryption AES on 1230 , it would work fine.

because with old AP's we were doing WPA1 or 2 based on encryption

if TKIP selected ->> WPA1

if AES ->> WPA2

while WPA version 2 command was not availble on SSID Level.

in summary , it would work fine ;o)

Kind regards

Talal

George Stefanick · ‎11-02-2011

Talal,

+5 you are right on target with your responses.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

tfraij · ‎11-02-2011

thanks George :-)