Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA with AES, is it vulnerable?

On the 4402 model wireless LAN controller, under the WLANs -> Security -> Layer2, it is possible to select WPA Policy and WPA Encrytion "AES".

Does anyone know if this combination is vulnerable to the recent TKIP exploit?

I have WPA Encryption "TKIP" explicitly unchecked, but I thought I read somewhere that TKIP might still be used for backward compatibility. Or that WPA1 with AES might not have been implemented in according to the final WPA2 definition.


Re: WPA with AES, is it vulnerable?

WPA with AES is still very strong, and not subject to the vulnerabilities of TKIP.

Good Luck


New Member

Re: WPA with AES, is it vulnerable?

Hi Scott,

Thanks for your reply.

I just re-read this from the original Cisco Security Response where it says:

"TKIP is the mandatory cipher suite for the first version of the Wi-Fi Protected Access (WPA) specification and it is an option for the Wi-Fi Protected Access version 2 (WPA2) standard.".

Even though we are using WPA(1) where the specification says it is mandatory to include TKIP in the "cipher suite", we are implementing AES and have explicitly disabled TKIP.

I interpret this to mean that we are not vulnerable.



Hall of Fame Super Silver

Re: WPA with AES, is it vulnerable?

WPA/Tkip PSK has been compromised as you know, but setting WPA/AES PSK has not been CRACKED....

The only thing is that some devices do not let you setup wpa/aes. I have seen devices that allow you to only either set wpa or the aes. When wpa is the only option, then tkip is automatically set. When TKIP/AES is the only option and you choose AES, then WPA2 is default.

*** Please rate helpful posts ***
New Member

Re: WPA with AES, is it vulnerable?

Even though TKIP is vulnerable, the atttacks are dictionary-based. If you use a 63-character random string it is still highly unlikely that your TKIP network will be cracked. It's more likely that someone will steal the key via physical means...

CreatePlease login to create content