Well I don´t have the IPX workbook mentioned :D Yeah I´t is very common to have to spot what is asked for from the wording of the question. And they will probably try to confuse things if possible. So I would be prepared for that.
Yes thats what I mean. As long as there is an encryption without fast-secure-roaming of course. You should use key-management always as wpa (under SSID in CLI) and then chose the chipher (under dotradiox interface on CLI) tkip or aes depending on WPA or WPA2. For CCKM you use that as key managment of course undir SSID CLI config. And for the dotradio chiper you choose aes or tkip depending on the requirements. Most cases for a 7921 it would be TKIP. (depending on firmware on the 7921) regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: 19. mars 2011 04:15 To: Kristján Ólafur Eðvarðsson Cc: [email protected] Subject: Re: 1. LAB: Network, Open EAP, WPA CCKM Hi Kirs, Thanks for the detailed and extended explanation. As the lab questions were in someway vague and it doesn't necessary link up in the various sections to explicitly mention that the ssids were for use in phone or bridge linking, it doesn't clearly ask for network eap and/or open eap. So i take it that if there is any mention of legacy cisco client or autnomous bridges in the lab, I will include network eap. Depending on the final eap method required, I will also include open eap (Fast or peap or tls). Now for the wpa portion. I'm clear about cckm and its function for roaming as well as the need for wds or you'll get error logs. For wpa or wpa2, what you meant is: as long as aes or tkip is used for cipher, you would use "wpa" as key management? But in the lab 3.2 dsg, for ssid "Test6" only cckm is used when the cipher used is aes? I'm getting nit picking becoz in my own answer, i put in wpa and cckm and it worked. Alvin B. Quoting Kristján Ólafur Eðvarðsson <[email protected]>: > Hey Alvin, Let me try to answer some of this. You can > also see this discussion in older posts on this list. > But it is a good practice to refresh of course so I don´t mind :D > > I understand that things can be confusing. Older Cisco documentation > say that for Cisco wireless cards. Network-eap must be set. > This is LEAP and EAP-FAST. Nowadays everybody supports LEAP and EAP-FAST > and EAP-FAST is an open standard. So open auth with eap is used (open eap) > > In my mind, speaking of the LAB cause it has some old software versions e.t.c > according to the blueprint. > > For clients everything exept LEAP should work on open EAP. And you see > when you configure only network-eap the ios gives you a warning if you > want to use EAP-FAST you should use open eap. > > For the phones there is a firmware question. Probably in the LAB there > is an older version of the firmware. At some stage the phone worked with > network-eap and in some versions probably more recent they require open eap. > I can look that up for you if you like. > > For the bridges. you are right. I know that the "caveat" is for > EAP-FAST to work > the root and bridge need to enable both network-eap and open-eap. Why ? > Cause there is some conversation and it starts with "do you support leap?" > and it has to be supported before the negotiate EAP-FAST. So look for > if the bridge or client should only support LEAP, I would only enable > network-eap for the autonomous. Also I would secure the Bridge with > dot1x profile where only EAP-FAST is available. (Checking the log > on the Bridge tells you what method was used when successfully authenticating > is very important cause it does not show it on the Root AP!) > > CCKM or WPA. Is a question if you are asked to support fast-secure-roaming. > Phones need that of course. And then there has to be WDS running to > make it work. > > I would take care on using the software versions that they mention > in the blueprint. > Cause they mention 12.3.x and 12.4 for example has many more > options. My strategy > is when they ask for WPA2 or WPA you should always have the > key-management as WPA > (unless fast-secure-roaming is required you need CCKM) But under dotradio > encryption you use TKIP for WPA and aes-ccm for WPA2. WPA always means TKIP > and WPA2 always means AES in my mind. In 12.4 you can specify if you want > wpa2 only so using this software could be confusing, cause those options > are not available in 12.3.x code. > > older phone software. (And I would´t be surpised if it was older in the lab) > Fast-secure-roaming only works with TKIP. It might work to associate > to a single > AP and make a call with WPA2/AES but roaming will fail. I can look > up the excact > versions of 7921 firmware where this changes. So still key-managment CCKM for > phones and the TKIP for encryption under the dotradio interface for > the phone SSID/VLAN. > > In WLC it is more simple exept for the fact that you can mix WPA and > TKIP various ways. > For example use WPA with AES and WPA2 with TKIP. I would follow the > same rule there > when asked for WPA use TKIP always and WPA2 use AES always unless > specficly told otherwise. > > Hope this answers something. Ping if you need me to dig up the > software versions > mentioned in older posts. > > regards. Kristjan > > > > > > > > > > > > Today's Topics: > > 1. LAB: Network, Open EAP, WPA CCKM ([email protected]) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 18 Mar 2011 17:46:34 +0800 > From: [email protected] > To: "[email protected]" > <[email protected]> > Subject: [CCIE Wireless] LAB: Network, Open EAP, WPA CCKM > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; > format="flowed" > > Hi All, > > I understand from readings that there are conditions when both network > and open eap are to be offered. When there are legacy cisco client and > 3rd party clients, usually both eaps need to be enabled to support > various eap authentication methods. Also when a wireless link needs to > be established with a secure setup between 2 autonomous AP, you need > to enable network and open to allow the APs to be offered LEAP before > they choose the more secure configured option (eg EAP-FAST). However, > since having both eap works for every scenario, will I be penalised in > the lab if i enable both? Or is there eap mehtods that can only work > with open eap only? This is sparked from question 3.2 for ssid Test6 > which from the DSG, i noticed both EAP are offered for EAP-FAST while > the others only offer open EAP for PEAP. I do notice the CCKm > requirement which may infer that cisco phones/devices are used by the > SSID, hence the need for network leap? > > Another question regarding the same lab, when aes is offered, a key > management must be configured. This can be wpa or cckm. what does the > WPA mean? Does it mean mixed wpav1 and v2 or only v1. IN the new IOS > for 1252, there is the choice for wpa, wpav1 and wpav2. For the 7921 > (1.3.3 for mine), if aes is configured only wpa2 will be used > regardless of whether wpa is set as the key management or not. With > only CCKM (with or without wpa again), it still uses WPA2 AES without > cckm (since my phone with 1.3.3 doesn't support wpa2 aes + cckm). > However, if tkip is set, with only cckm setup (with or without wpa > actually), the 7921 will work in wpa tkip + cckm. This is confusing to > me as to whether wpa should be set with cckm into the key management > when aes is required in the question. > > Alvin B > > > > > ------------------------------ > > _______________________________________________ > CCIE_Wireless mailing list > [email protected] > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > > > End of CCIE_Wireless Digest, Vol 24, Issue 16 > ********************************************* > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
