Hi Kirs,
Thanks for the detailed and extended explanation. As the lab questions
were in someway vague and it doesn't necessary link up in the various
sections to explicitly mention that the ssids were for use in phone or
bridge linking, it doesn't clearly ask for network eap and/or open
eap. So i take it that if there is any mention of legacy cisco client
or autnomous bridges in the lab, I will include network eap. Depending
on the final eap method required, I will also include open eap (Fast
or peap or tls).
Now for the wpa portion. I'm clear about cckm and its function for
roaming as well as the need for wds or you'll get error logs. For wpa
or wpa2, what you meant is: as long as aes or tkip is used for cipher,
you would use "wpa" as key management? But in the lab 3.2 dsg, for
ssid "Test6" only cckm is used when the cipher used is aes? I'm
getting nit picking becoz in my own answer, i put in wpa and cckm and
it worked.
Alvin B.
Quoting Kristján Ólafur Eðvarðsson <[email protected]>:
Hey Alvin, Let me try to answer some of this. You can
also see this discussion in older posts on this list.
But it is a good practice to refresh of course so I don´t mind :D
I understand that things can be confusing. Older Cisco documentation
say that for Cisco wireless cards. Network-eap must be set.
This is LEAP and EAP-FAST. Nowadays everybody supports LEAP and EAP-FAST
and EAP-FAST is an open standard. So open auth with eap is used (open eap)
In my mind, speaking of the LAB cause it has some old software versions e.t.c
according to the blueprint.
For clients everything exept LEAP should work on open EAP. And you see
when you configure only network-eap the ios gives you a warning if you
want to use EAP-FAST you should use open eap.
For the phones there is a firmware question. Probably in the LAB there
is an older version of the firmware. At some stage the phone worked with
network-eap and in some versions probably more recent they require open eap.
I can look that up for you if you like.
For the bridges. you are right. I know that the "caveat" is for
EAP-FAST to work
the root and bridge need to enable both network-eap and open-eap. Why ?
Cause there is some conversation and it starts with "do you support leap?"
and it has to be supported before the negotiate EAP-FAST. So look for
if the bridge or client should only support LEAP, I would only enable
network-eap for the autonomous. Also I would secure the Bridge with
dot1x profile where only EAP-FAST is available. (Checking the log
on the Bridge tells you what method was used when successfully authenticating
is very important cause it does not show it on the Root AP!)
CCKM or WPA. Is a question if you are asked to support fast-secure-roaming.
Phones need that of course. And then there has to be WDS running to
make it work.
I would take care on using the software versions that they mention
in the blueprint.
Cause they mention 12.3.x and 12.4 for example has many more
options. My strategy
is when they ask for WPA2 or WPA you should always have the
key-management as WPA
(unless fast-secure-roaming is required you need CCKM) But under dotradio
encryption you use TKIP for WPA and aes-ccm for WPA2. WPA always means TKIP
and WPA2 always means AES in my mind. In 12.4 you can specify if you want
wpa2 only so using this software could be confusing, cause those options
are not available in 12.3.x code.
older phone software. (And I would´t be surpised if it was older in the lab)
Fast-secure-roaming only works with TKIP. It might work to associate
to a single
AP and make a call with WPA2/AES but roaming will fail. I can look
up the excact
versions of 7921 firmware where this changes. So still key-managment CCKM for
phones and the TKIP for encryption under the dotradio interface for
the phone SSID/VLAN.
In WLC it is more simple exept for the fact that you can mix WPA and
TKIP various ways.
For example use WPA with AES and WPA2 with TKIP. I would follow the
same rule there
when asked for WPA use TKIP always and WPA2 use AES always unless
specficly told otherwise.
Hope this answers something. Ping if you need me to dig up the
software versions
mentioned in older posts.
regards. Kristjan
Today's Topics:
1. LAB: Network, Open EAP, WPA CCKM ([email protected])
----------------------------------------------------------------------
Message: 1
Date: Fri, 18 Mar 2011 17:46:34 +0800
From: [email protected]
To: "[email protected]"
<[email protected]>
Subject: [CCIE Wireless] LAB: Network, Open EAP, WPA CCKM
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
format="flowed"
Hi All,
I understand from readings that there are conditions when both network
and open eap are to be offered. When there are legacy cisco client and
3rd party clients, usually both eaps need to be enabled to support
various eap authentication methods. Also when a wireless link needs to
be established with a secure setup between 2 autonomous AP, you need
to enable network and open to allow the APs to be offered LEAP before
they choose the more secure configured option (eg EAP-FAST). However,
since having both eap works for every scenario, will I be penalised in
the lab if i enable both? Or is there eap mehtods that can only work
with open eap only? This is sparked from question 3.2 for ssid Test6
which from the DSG, i noticed both EAP are offered for EAP-FAST while
the others only offer open EAP for PEAP. I do notice the CCKm
requirement which may infer that cisco phones/devices are used by the
SSID, hence the need for network leap?
Another question regarding the same lab, when aes is offered, a key
management must be configured. This can be wpa or cckm. what does the
WPA mean? Does it mean mixed wpav1 and v2 or only v1. IN the new IOS
for 1252, there is the choice for wpa, wpav1 and wpav2. For the 7921
(1.3.3 for mine), if aes is configured only wpa2 will be used
regardless of whether wpa is set as the key management or not. With
only CCKM (with or without wpa again), it still uses WPA2 AES without
cckm (since my phone with 1.3.3 doesn't support wpa2 aes + cckm).
However, if tkip is set, with only cckm setup (with or without wpa
actually), the 7921 will work in wpa tkip + cckm. This is confusing to
me as to whether wpa should be set with cckm into the key management
when aes is required in the question.
Alvin B
------------------------------
_______________________________________________
CCIE_Wireless mailing list
[email protected]
http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless
End of CCIE_Wireless Digest, Vol 24, Issue 16
*********************************************
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
