Victor, You are correct that, in this case, either "encryption mode ciphers wep40" or "encryption mode wep mandatory" could be used. There was no statement about legacy clients that don't support key management or supporting any wep client. If that was the case, then it would have to be the "encryption mode wep mandatory."
And, yes, for WEP Shared mode, the configuration for Shared is "authentication shared" under the SSID itself. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: *[email protected] * On Tue, Mar 29, 2011 at 5:41 AM, Victor Platov (viplatov) < [email protected]> wrote: > Hi Guys, > > > > Can you clarify the answer #1? > > > > Cause I’ve just tested the scenario and found out the followings: > > WEP works with “encryption vlan 12 mode ciphers wep40” command. Output of > the “show dot11 ass all” actually shows that WEP is currently used. As per > Cisco command reference guide, “encryption mode wep” is a kind of old or > legacy command which can be used for clients which are not supporting key > management and cisco recommends to use “encryption mode ciphers”instead. > Hence we should not use these two commands together and as per my > understanding we can use both in that case. Am I right? > > P.S. shared authentication depends on the ssid’s configuration > (authentication shared) and not on the radio interface configuration I > think. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jason Boyers > *Sent:* Tuesday, March 29, 2011 1:30 AM > *To:* Raul Manzano > *Cc:* [email protected] > *Subject:* Re: [CCIE Wireless] Questions about the lab 3 for DSG Workbook > 1. > > > > Raul > > > > My responses are inline below. Very good observations. With the updates > made, the latest version number for the CCIEW Workbook Vol 1 DSG will be > v2947 (as seen in the footer of the doc.) Give it a bit of time for that to > be posted, as the doc needs to be properly reformatted, converted to PDF, > etc by the support team. > > > > > Jason Boyers - CCIE #26024 (Wireless) > > Technical Instructor - IPexpert, Inc. > Mailto: *[email protected]* > > > > On Mon, Mar 28, 2011 at 8:37 AM, Raul Manzano <[email protected]> wrote: > > Hi guys. > > Making the tasks about the lab 3 I have some doubts about the solution > done. > > Point 3.2: For the configuration of SSID Test2 on AAP2: "The least version > of WEP encryption, using a key of...."; if you are talking about the "wep > encryption" Why don't also use the command" encryption vlan Test2 mode wep > mandatory"? because if not, you only pass a passphrasse to "authenticate" > but your traffic without this command is not cipher with WEP. > > > > *** Yes, it does require "mode wep mandatory" command. I have updated the > DSG to reflect that. > > *** Also, in looking at that, I noticed that SSID Test3 was also partially > incorrect in the DSG. It should have the "optional" keyword after > "authentication open" and before "eap eap_methods." Without that keyword, > the AP will attempt to use AAA instead of simply using the WEP key. > > > > Point 3.2: For the configuration of SSID Test6 on AAP1: "Use the highest > encryption level allowed for CCKM for the version of software on the AP". In > the SSID configuration, Why not "authentication key-management wpa cckm"?. > If you are using the "highest" (aes in this case) and CCKM I think this is > correct, unless the meaning of this command is allow both WPA and CCKM > key-management allowing non CCKM clients to connect . Is this OK? > > *** There is no requirement for WPA listed. WPA and CCKM are different > key-management methods, with CCKM adding the creation of a Base Transient > Key (BTK) to WPA (simplified version.) For the encryption piece, CCKM on > 12.3(8)JE(X) as listed in the equipment list does support AES as a cipher. > Normally, CCKM is listed with TKIP, because older versions of the 7921G > required CCKM wth TKIP for fast, secure roaming. > > > > Point 3.6: "On AAP2, only permit the laptop to connect". if you use in int > d0 "l2-filter bridge-group-acl" and apply in all the sub-interfaces the > command "bridge-group xx input-address-list 700" you should apply the same > commands to 5Ghz radio, because is only applied to the sub.interfaces but > not in "d1" interface (I'm assume this is a mistake). > > > > *** Yes, that was previously corrected. Please check with our support team > if the latest version available under your account does not have that > correction. > > > > > Thanks. > > Best Regards. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
