In my opinion, these sorts of questions that ask you to use 'Best Practices' is what really gets us all when we're working in our day jobs on current code, and then trying to certify ourselves on code that is several revisions back. Personally, I'm waiting until the lab upgrades the code train before I give it a go.
Scott Pickles, CCNP/CCDA Systems Engineer Vantage Point Network Systems Your Mobile Solutions Partner 100 Carlson Road Second Floor Rochester, NY 14610 (585) 624-8365 ext. 164 (585) 905-7405 cell (585) 624-4181 fax [email protected] www.VPNSystems.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, January 24, 2011 11:43 PM To: [email protected] Subject: CCIE_Wireless Digest, Vol 22, Issue 33 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Re: authentication key-management wpa verseswpa version 2 (Jason Boyers) ---------------------------------------------------------------------- Message: 1 Date: Mon, 24 Jan 2011 23:42:38 -0500 From: "Jason Boyers" <[email protected]> To: "'Brendon Hwang'" <[email protected]>, "'Chris Jolliffe'" <[email protected]>, <[email protected]> Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 Message-ID: <002101cbbc4a$4d175e50$e7461af0$@com> Content-Type: text/plain; charset="utf-8" `That is a wise answer J Related to that, if something isn?t working, though you know it should (particularly connectivity between pieces of equipment,) talk with the proctor as soon as possible. Do a bit of troubleshooting first (verify that you didn?t miss something,) and then go and explain the situation and the troubleshooting. They?ll either say, ?Go back and look again,? or ?Let me take a look.? Either way, you have moved along ? either knowing you missed something or there may in fact be something wrong (which there was on one of my lab attempts.) Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert <mailto:[email protected]> [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Brendon Hwang Sent: Monday, January 24, 2011 8:24 PM To: Chris Jolliffe; [email protected] Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 I agree. Definitely ask proctor without assuming anything. Just my experience. Not technical but I think important for anyone who sits their lab. Anyone already know can ignore this. ;) I am sure someone already covered this a while ago if I remember correctly. Please ask me to shut up if this is not good topic to be added in this thread. I was so scared to ask any question on the first attempt, I didn't really ask any question. Obviously failed badly. They look so scared to me for some reason. My second attempt I try as many as I can. Proctor never give you direct help but if you provide some intelligent information regarding questions you ask, they will provide good comment back as well. Proctor will be frustrated if you ask same question over and over without asking properly but it's their job to help you out in some way. One time I wanted to ask something and I said "can I ask some dumb question? And he replied I will give dumb answer" What I am trying to say is that you ask him in the intelligent way and he will reply back properly. For example, Question ask you to configure strong auth method with highest standard of encryption. It's very vague. Obviously if you assume it's wpa2 + aes(maybe cckm if it's voice) then you are OK in our world. However lab may already provided you some other info that you missed possibly. Here you ask proctor. You never ask " what do I do here?" he will laugh. But what if you ask him to let him know that you know things here. I would ask in this way. "I have a question here. Question stated to configure blah blah." "I know wpa2 + cckm with aes is the strongest combination however this WLAN is for voice and cisco 7921 does not support this and this ends up non working solution when you mark after lab session is finished." "in the best practice, we configure wpa + cckm with TKIP" "what is the question is really asking?" If you list all the option, proctor knows that you are on top of this and will give you some good idea.(not answer) Just little tip from me. Regards, Brendon From: Chris Jolliffe <[email protected]> Date: Mon, 24 Jan 2011 17:52:01 +0000 To: <[email protected]> Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 I would ask the proctor :) _____ Subject: RE: [CCIE Wireless] authentication key-management wpa verseswpa version 2 Date: Mon, 24 Jan 2011 09:43:52 -0800 From: [email protected] To: [email protected]; [email protected] Good to know, so if they ask for wpa2 for the phones, do we assume that they don?t want roaming ? or is that an ask your proctor kind of question? Thanks, -Kara From: [email protected] [mailto:[email protected]] On Behalf Of Chris Jolliffe Sent: Monday, January 24, 2011 9:17 AM To: [email protected] Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 Another thing to keep in mind is that if they ask for WPA2 on a Voice ssid be careful because the 7921 doesn't support WPA2 & CCKM (for fast roaming) on the firmware load that they use in the lab. > Date: Mon, 24 Jan 2011 05:38:14 -0800 > From: [email protected] > To: [email protected]; [email protected] > Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 > > Thanks Kristjan, > > Looks like being on a slightly different version of code has bit me twice now. Time to downgrade! > > Thanks, > > -Kara > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Kristj?n ?lafur E?var?sson > Sent: Monday, January 24, 2011 4:38 AM > To: [email protected] > Subject: Re: [CCIE Wireless] authentication key-management wpa verseswpa version 2 > > Hi Kara, > > The thing about WPA and WPA2 is usually simple. WPA is TKIP and WPA2 is AES. > However some suplicants have a funny ways of supporting WPA. For example some > may support WPA2 but only with TKIP and some WPA with AES ! So the options > we have to configure is partly to support those schenarios. > > But bear this in mind. The LAB blueprint states 12.3.8ja for the autonomous > and you cant configure version 2 under the dot11ssid in that code. > So when you are asked for either WPA or WPA2, under the dot11 SSID config , always* use authentication key-management wpa > But under the dotradiox interface you should differ with encryption mode ciphers aes-ccm for AES (WPA2) or encryption mode cipher tkip for TKIP (WPA) > > * authentication key-managment cckm (Cisco centralized key managment) could also be used under the SSID. This is when > you want to support fast-secure roaming for clients enabled for it. Such as IP phones. Usually this would have WDS setup aswell > if you were in Autonomous mode. > > In WLC you have options of WPA and WPA2 look a lot clearer. And you have the option there > to enable WPA with AES encryption just like above. WLC handles the fast-secure roaming > in cases of CCKM the WLC handles the fast-secure roaming caching so noneed for extra configuration like WDS in Autonomous. > > regards. Kristjan > > > > ------------------------------ > > Message: 2 > Date: Sun, 23 Jan 2011 18:06:21 -0800 > From: "Kara Muessig (kmuessig)" <[email protected]> > To: <[email protected]> > Subject: [CCIE Wireless] authentication key-management wpa verses wpa > version 2 > Message-ID: > <26b4af8f83778445bc4309d72860457a0d7ca...@xmb-sjc-21d.amer.cisco.com> > Content-Type: text/plain; charset="us-ascii" > > Hi all, > > > > When a question states that you should use WPA2 for authentication is > there any reason why you wouldn't configure WPA version 2 verses just > WPA on the authentication key-management underneath the SSID? I realize > that the encryption aes assumes that you are using wpa2... > > > > Thanks, > > > > > > Kara Muessig > CONSULTING SYSTEMS ENGINEER.SALES > Wireless South Team > [email protected] <mailto:[email protected]> > Phone: 512-791-2870 > > > > > Cisco.com <http://www.cisco.com> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110124/0815656c/attachment.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 22, Issue 33 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
