[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Migrate Cisco Aironet 1231 from WEP 128-bit to Cipher

Posted on 2014-07-12
15
Medium Priority
?
655 Views
Last Modified: 2014-07-15
I need to migrate multiple SSIDs on 3 AIronet 1231s on a single site to use AES CCMP + TKIP Cipher rather than the current WEP 128 bit.

I noticed there is an option in Cipher for AES CCMP + TKIP + WEP 128 bit.

Would this (as a temporary measure) allow me to have clients using a mix of encryption standards? I'm looking to make the migration as seamless as possible rather than immediately disabling WEP and cutting off clients until they update security settings.

It's in an environment where the weaknesses of WEP aren't a significant concern due to limited range of the radio signal from the APs, but still want to get migrated away from WEP!

Edit: Update: I tested with a little used SSID changing the encryption settings to just AES CCMP + TKIP and it is still reporting as WEP only. I have checked with one of the SSIDs already using WPA2-Personal and it seems to be set up via SSID Manager rather than Encryption Manager and therefore only allows one method of encryption.
0
Comment
Question by:Stuart Oram
  • 8
  • 4
  • 2
  • +1
15 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 40191949
Using WEP and WPA and WPA2 is no good idea as an attacker would still only have to defeat WEP, then. But, yes, that would allow your clients to use whatever encryption suits them best.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192014
This is only intended as an interim measure until all client devices migrate away from WEP, when I will remove support for WEP.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40192155
This is the one thing I'd say never do.  You 'can' do it but only if certain criteria are met and it largely depends on the clients.

The fact that your SSID is still reporting WEP even though you've set it to WPA means you've probably done it wrong.  You have to change the config in the SSID Manager and the Encryption Manager to get it to work.

Can you post the configuration file from one of the APs please?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192186
I have been using the HTTP interface to make these changes rather than the CLI as my CLI experience is mainly with HP switches, I don't know Cisco that well, particularly APs.

Tried grabbing a screenshot of the HTTP page but it won't grab all in one shot.

I've posted the relevant bits from the output of the startup config file export.

N.B. VLAN 80 (SSID ORAM-GUEST) is successfully running, reporting as WPA2. VLAN 110 one of the ones I'm trying to convert to allow both WEP and WPA2.

I appreciate it's not the best way to do it, but it's a home (not business) environment and I'm trying to manage some of my 'users' that will make a lot of noise if I just make the change over and cut off access via WEP before they have reconfigured devices!! :-)
If I had my work hat on, I'd just change the config as required and tell them to change the client device config (tough!).....
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192193
Not sure if the attachment made it on to the last comment, so trying again.
1231-wepconfig.txt
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40192237
You can copy/paste from the HTTP config page - that will let you grab all of it.

So that config shows that you have successfully configured the ORAM-GUEST SSID for WPA.  The config is a bit skewed though.

If the client still thinks the SSID is configured for WEP you need to remove its WLAN config for that SSID and let the client detect the correct settings.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192256
The one already WPA has always been so. It's the other one that's the problem.
What's skewed about the config?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40192261
Ok.

This is skewed...
dot11 ssid TEST-VLAN110
   vlan 110
   authentication open

 encryption vlan 80 mode ciphers aes-ccm tkip

encryption vlan 110 mode ciphers aes-ccm tkip

 ssid TEST-VLAN110

That's showing half of the dot11 ssid TEST-VLAN110 config and then it jumps right into a dot11radio0 interface config.  There's some missing.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192265
This isn't the full config, I just pulled out the bits I thought were relevant.
What were you expecting to see? I'll check & see if its there....
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40192417
Have you read this cisco doc?
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_13_JA/configuration/guide/i12213sc/s13wep.html?referring_site=bodynav

Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192433
Thanks - I know what you are saying & how to correct. I will check the doc you linked. Is it still possible to allow clients to use WEP OR WPA (for a short time)?
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40192454
If I'm reading the document correctly it appears you will have to use WPA in conjunction with the cipher level TKIP you set.

The note in my last comment cleary states they must be used together in order for end users to be able to log onto the ssid.

I haven't read any docs pertaining to the cckm management but it appears to be another option.

When I have some time I will read up on it.

I don't see a issue with the end users being on WEP or WPA until you get things figured out.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192464
I'll give it a try as soon as able and will report back. Thanks all.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 40192868
I've just labbed it... with static keys you can't mix WPA and WEP.  Mandatory key-management means WEP can't function.

So, you can't mix WEP and WPA in your scenario.
0
 
LVL 1

Author Comment

by:Stuart Oram
ID: 40192880
Thanks for all the comments on this.
Will go over responses and assign points in due course.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question