Actually, in order to be WPA compliant, a client needs to support TKIP. Although it may support AES as well, that is not part of the certification process. And, since AES can be used in different modes of operation, there is no guarantee of interoperability between WPA/AES access points and clients. In practice, almost all clients would use CCMP/AES, so they may work.
For WPA2, it must support CCMP/AES, though it can also support TKIP. Otherwise, they cannot be certified, as they do not conform to the 802.11i specification. Remember that WPA and WPA2 are not standards. They are interoperability certifications by the WiFi Alliance based on either the 802.11i working group pre-standard information (in the case of WPA) or based on the 802.11i standard (for WPA2.) For WPA2, the interoperability is tested for the mandatory elements of the standard. Related to this, WMM (Wi-Fi Multimedia) is the Wi-Fi Alliance certification for interoperability of a subset of the 802.11e specification (related to QoS). The WMM Power Save certification is based on other parts of the 802.11e specification (for, obviously, power saving mechanisms.) I hope that clarifies some things. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kristján Ólafur Eðvarðsson Sent: Monday, January 24, 2011 5:38 AM To: [email protected] Subject: Re: [CCIE Wireless] authentication key-management wpa verses wpa version 2 Hi Kara, The thing about WPA and WPA2 is usually simple. WPA is TKIP and WPA2 is AES. However some suplicants have a funny ways of supporting WPA. For example some may support WPA2 but only with TKIP and some WPA with AES ! So the options we have to configure is partly to support those schenarios. But bear this in mind. The LAB blueprint states 12.3.8ja for the autonomous and you cant configure version 2 under the dot11ssid in that code. So when you are asked for either WPA or WPA2, under the dot11 SSID config , always* use authentication key-management wpa But under the dotradiox interface you should differ with encryption mode ciphers aes-ccm for AES (WPA2) or encryption mode cipher tkip for TKIP (WPA) * authentication key-managment cckm (Cisco centralized key managment) could also be used under the SSID. This is when you want to support fast-secure roaming for clients enabled for it. Such as IP phones. Usually this would have WDS setup aswell if you were in Autonomous mode. In WLC you have options of WPA and WPA2 look a lot clearer. And you have the option there to enable WPA with AES encryption just like above. WLC handles the fast-secure roaming in cases of CCKM the WLC handles the fast-secure roaming caching so no need for extra configuration like WDS in Autonomous. regards. Kristjan ------------------------------ Message: 2 Date: Sun, 23 Jan 2011 18:06:21 -0800 From: "Kara Muessig (kmuessig)" <[email protected]> To: <[email protected]> Subject: [CCIE Wireless] authentication key-management wpa verses wpa version 2 Message-ID: <26b4af8f83778445bc4309d72860457a0d7ca...@xmb-sjc-21d.amer.cisco.com> Content-Type: text/plain; charset="us-ascii" Hi all, When a question states that you should use WPA2 for authentication is there any reason why you wouldn't configure WPA version 2 verses just WPA on the authentication key-management underneath the SSID? I realize that the encryption aes assumes that you are using wpa2... Thanks, Kara Muessig CONSULTING SYSTEMS ENGINEER.SALES Wireless South Team [email protected] <mailto:[email protected]> Phone: 512-791-2870 Cisco.com <http://www.cisco.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
