Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TKIP cipher suite + 128WEP question


Can someone clarify for me how this works in a WPA-PSK scenario:

If I configure WPA key management/authentication with TKIP cipher suite I dont explicitly need to enter a WEP key for encryption. Are the WEP encryption keys derived from the shared PMK?

Interestingly, in the cisco documentation for configuring cipher suites, it mentions config commands for TKIP alone (like I state above) or TKIP with WEP40 or WEP128, for example:

'encryption vlanX mode ciphers tkip wep128 '

how does the addition of the explicit WEP 128 or WEP40 change the setup?



Re: TKIP cipher suite + 128WEP question

configure Wi-Fi Protected Access (WPA) on a Cisco Access Point (AP) without an authentication server, configure the AP with a pre-share key (WPA-PSK).

To configure the WPA-PSK, perform these steps using the GUI interface:

In the Encryption Manager window, select cipher TKIP and click Apply.

In the Service Set Identifier (SSID) Manager window, perform these steps:

Create an SSID.

Select Open Authentication.

Set the Key Management to Mandatory.

Check the WPA box.

Enter a WPA-PSK and click Apply.

New Member

Re: TKIP cipher suite + 128WEP question


Thanks but you missed my point. Maybe I didnt make myself clear. First of all I need to make config changes using CLI only. Second, I didnt ask how to configure WPA-PSK. Instead I want to understand the resulting AP configuration differences and behaviour between these commands:

'encryption vlanX mode ciphers tkip wep128'

'encryption vlanX mode ciphers tkip'

Specifically about WEP encryption - are the WEP keys dynamically generated if either command is issued, or only the first?

If using the second command, does the TKIP cipher suite derive WEP encryption keys form the PMK?

hope thats clearer.



Re: TKIP cipher suite + 128WEP question

Hi Simon

I think 'encryption vlanX mode ciphers tkip wep128' is intended to use in 'WPA Migration Mode'.

WPA Migration Mode is an access point setting defined by Cisco that enables both WPA and non-WPA clients to associate to an access point using the same SSID.

In this scenario the Cisco Aironet access point is configured with WPA optional, TKIP+WEP128 or TKIP+WEP40 cipher, and a static WEP key in key slot 2 or 3

Regarding 2nd question, I don't think so.

Hope this helps