Did some more testing, and it appears that if you have a machine that had
an AES connection on it in the past is where you end up with the problem.
A laptop with built in wireless or an older card that only supported TKIP
will connect fine. Even with the Windows patch.
However, a machine that has had an AES connection in it does keep
converting the standard back to AES, even when using a TKIP only card.
The laptop does keep TKIP if you disable the connection, but if you select
disconnect or move to another wireless connection like an unsecure one,
once you move back to the WPA/TKIP connection the default has changed back
to AES.
Did not test further on a mac, but the built in on the older mac does
connect fine with TKIP. I have not tried to get an external AES card and
move back to internal yet.
Anyone found out anything more?
On Wed, 2 Aug 2006, Walter Reynolds wrote:
We are using the cisco 1240 with IOS 12.3(8)JA2
I have no problem running both AES-CCMP and TKIP on the older mac. Have not
tried windows with the patch and an older card recently, but am pretty sure
it worked ok there as well.
We do not have this deployed but in the lab.
On Thu, 27 Jul 2006, David Spindler wrote:
Hi Everyone,
We're in the process of deploying 802.1x across our campus. We
primarly use Cisco's Aironet 1200 series access points. We initially were
going to use mixed mode (support of WPA+WPA2 on the same SSID) in order to
provide the best support, but seem to have run into problems.
When using a windows XP computer with the WPA2 patch installed (KB893357)
and only WPA hardware support (no WPA2), Windows Zero Config (WZC) will
always attempt to connect using WPA and AES (an invalid combination). You
can manually force it to use WPA and TKIP, but if you disconnect and
reconnect it will default back to WPA/AES and fail.
On a macintosh running 10.3 (or 10.4) if the hardware supports WPA2 it will
work fine, but on older hardware that only does WPA1, it won't connect no
matter how you configure it. I'm wondering if this is related to the AP
advertising both TKIP and AES and all the OSes wanting to use the best one
(AES) even if the hardware doesn's support it. Has anyone had similar
problems and found a solution?
<Code snippet for mixed mode>
dot11 ssid restricted.utexas.edu
vlan 312
authentication open eap uteap
authentication key-management wpa
mobility network-id 312
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 312 mode ciphers aes-ccm tkip
!
ssid restricted.utexas.edu
</Code>
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
-- Walter Reynolds
University of Michigan
-- Walter Reynolds
University of Michigan
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
