Keith, I would opt for the option number 3.
Older equipment or not updated drivers can have problems with WPA2 or WPA. It has a lot to do with the interpretation of the standard as implemented by Intel and Atheros. With latest drivers and windows xp servicepack2 most issues are resolved. Typically users need time for that migration. TKIP is not always working nicely either, there are still some small issues. We find that wep is working very well. When you deploy 802.1x wep, it is very secure as well. We implemented for a large enterprise in the Netherlands two ssid's. One with 802,1x + wpa2 with keyrotation time 12 hours for laptops with critical applications. No roaming problems. One with 802,1x and wep for pda's and older laptops. We implemented it in combination with secureW2 for older wireless cards and the updated intel drivers. That setup basically solved most of the (migration) problems. Wim Bos -----Original Message----- From: Keith Moores [mailto:[EMAIL PROTECTED] Sent: vrijdag 27 oktober 2006 18:31 To: wim Subject: [WIRELESS-LAN] Dynamic WEP transition to WPA All, I'm interested to hear any experiences/thoughts on transitioning from Dynamic WEP to WPA encryption, especially from those of you with "Fat" Cisco AP deployments. I see a few options, none of which I'm convinced is the way to go. 1) Announce a cutover date, after which Dynamic WEP will cease to work and everyone must use to WPA. Pros: relatively easy config change, clean compatibility cut off Cons: potential for a LOT of help desk work that day/week... 2) Announce a cutover period, where both operate for a time (using Cisco's WEP 128 + TKIP migration mode), after which only using WPA. Pros: Gives people a chance to reconfigure on their own schedule Cons: Mac 10.3 seems unable to connect to APs in this migration mode, but IS fine with just WPA, other clients may also have this problem, not sure what to do with them during the migration period. 3) Deploy a new SSID/VLAN, announce a cutover period, after which shutdown the old one. Pros: Gives people a chance to reconfigure on their own schedule Cons: A LOT more back-end work, I'll miss our current ssid, go (cavalier)s! Has anyone gone down one of these paths? Come up with others? Any WPA compatibility horror stories? -Keith p.s. Switching to a different wireless platform is not an option at this point, I realize this could be easier with <insert vendor here>'s amazing product. ------------------------------------------------------------------------ Keith Moores <mailto:[EMAIL PROTECTED]> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
