Hey Alvin, Let me try to answer some of this. You can also see this discussion in older posts on this list. But it is a good practice to refresh of course so I don´t mind :D
I understand that things can be confusing. Older Cisco documentation say that for Cisco wireless cards. Network-eap must be set. This is LEAP and EAP-FAST. Nowadays everybody supports LEAP and EAP-FAST and EAP-FAST is an open standard. So open auth with eap is used (open eap) In my mind, speaking of the LAB cause it has some old software versions e.t.c according to the blueprint. For clients everything exept LEAP should work on open EAP. And you see when you configure only network-eap the ios gives you a warning if you want to use EAP-FAST you should use open eap. For the phones there is a firmware question. Probably in the LAB there is an older version of the firmware. At some stage the phone worked with network-eap and in some versions probably more recent they require open eap. I can look that up for you if you like. For the bridges. you are right. I know that the "caveat" is for EAP-FAST to work the root and bridge need to enable both network-eap and open-eap. Why ? Cause there is some conversation and it starts with "do you support leap?" and it has to be supported before the negotiate EAP-FAST. So look for if the bridge or client should only support LEAP, I would only enable network-eap for the autonomous. Also I would secure the Bridge with dot1x profile where only EAP-FAST is available. (Checking the log on the Bridge tells you what method was used when successfully authenticating is very important cause it does not show it on the Root AP!) CCKM or WPA. Is a question if you are asked to support fast-secure-roaming. Phones need that of course. And then there has to be WDS running to make it work. I would take care on using the software versions that they mention in the blueprint. Cause they mention 12.3.x and 12.4 for example has many more options. My strategy is when they ask for WPA2 or WPA you should always have the key-management as WPA (unless fast-secure-roaming is required you need CCKM) But under dotradio encryption you use TKIP for WPA and aes-ccm for WPA2. WPA always means TKIP and WPA2 always means AES in my mind. In 12.4 you can specify if you want wpa2 only so using this software could be confusing, cause those options are not available in 12.3.x code. older phone software. (And I would´t be surpised if it was older in the lab) Fast-secure-roaming only works with TKIP. It might work to associate to a single AP and make a call with WPA2/AES but roaming will fail. I can look up the excact versions of 7921 firmware where this changes. So still key-managment CCKM for phones and the TKIP for encryption under the dotradio interface for the phone SSID/VLAN. In WLC it is more simple exept for the fact that you can mix WPA and TKIP various ways. For example use WPA with AES and WPA2 with TKIP. I would follow the same rule there when asked for WPA use TKIP always and WPA2 use AES always unless specficly told otherwise. Hope this answers something. Ping if you need me to dig up the software versions mentioned in older posts. regards. Kristjan Today's Topics: 1. LAB: Network, Open EAP, WPA CCKM ([email protected]) ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Mar 2011 17:46:34 +0800 From: [email protected] To: "[email protected]" <[email protected]> Subject: [CCIE Wireless] LAB: Network, Open EAP, WPA CCKM Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Hi All, I understand from readings that there are conditions when both network and open eap are to be offered. When there are legacy cisco client and 3rd party clients, usually both eaps need to be enabled to support various eap authentication methods. Also when a wireless link needs to be established with a secure setup between 2 autonomous AP, you need to enable network and open to allow the APs to be offered LEAP before they choose the more secure configured option (eg EAP-FAST). However, since having both eap works for every scenario, will I be penalised in the lab if i enable both? Or is there eap mehtods that can only work with open eap only? This is sparked from question 3.2 for ssid Test6 which from the DSG, i noticed both EAP are offered for EAP-FAST while the others only offer open EAP for PEAP. I do notice the CCKm requirement which may infer that cisco phones/devices are used by the SSID, hence the need for network leap? Another question regarding the same lab, when aes is offered, a key management must be configured. This can be wpa or cckm. what does the WPA mean? Does it mean mixed wpav1 and v2 or only v1. IN the new IOS for 1252, there is the choice for wpa, wpav1 and wpav2. For the 7921 (1.3.3 for mine), if aes is configured only wpa2 will be used regardless of whether wpa is set as the key management or not. With only CCKM (with or without wpa again), it still uses WPA2 AES without cckm (since my phone with 1.3.3 doesn't support wpa2 aes + cckm). However, if tkip is set, with only cckm setup (with or without wpa actually), the 7921 will work in wpa tkip + cckm. This is confusing to me as to whether wpa should be set with cckm into the key management when aes is required in the question. Alvin B ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 24, Issue 16 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
