Migrate Cisco Aironet 1231 from WEP 128-bit to Cipher
I need to migrate multiple SSIDs on 3 AIronet 1231s on a single site to use AES CCMP + TKIP Cipher rather than the current WEP 128 bit.
I noticed there is an option in Cipher for AES CCMP + TKIP + WEP 128 bit.
Would this (as a temporary measure) allow me to have clients using a mix of encryption standards? I'm looking to make the migration as seamless as possible rather than immediately disabling WEP and cutting off clients until they update security settings.
It's in an environment where the weaknesses of WEP aren't a significant concern due to limited range of the radio signal from the APs, but still want to get migrated away from WEP!
Edit: Update: I tested with a little used SSID changing the encryption settings to just AES CCMP + TKIP and it is still reporting as WEP only. I have checked with one of the SSIDs already using WPA2-Personal and it seems to be set up via SSID Manager rather than Encryption Manager and therefore only allows one method of encryption.
I noticed there is an option in Cipher for AES CCMP + TKIP + WEP 128 bit.
Would this (as a temporary measure) allow me to have clients using a mix of encryption standards? I'm looking to make the migration as seamless as possible rather than immediately disabling WEP and cutting off clients until they update security settings.
It's in an environment where the weaknesses of WEP aren't a significant concern due to limited range of the radio signal from the APs, but still want to get migrated away from WEP!
Edit: Update: I tested with a little used SSID changing the encryption settings to just AES CCMP + TKIP and it is still reporting as WEP only. I have checked with one of the SSIDs already using WPA2-Personal and it seems to be set up via SSID Manager rather than Encryption Manager and therefore only allows one method of encryption.
McKnife
Using WEP and WPA and WPA2 is no good idea as an attacker would still only have to defeat WEP, then. But, yes, that would allow your clients to use whatever encryption suits them best.
ASKER
This is only intended as an interim measure until all client devices migrate away from WEP, when I will remove support for WEP.
This is the one thing I'd say never do. You 'can' do it but only if certain criteria are met and it largely depends on the clients.
The fact that your SSID is still reporting WEP even though you've set it to WPA means you've probably done it wrong. You have to change the config in the SSID Manager and the Encryption Manager to get it to work.
Can you post the configuration file from one of the APs please?
The fact that your SSID is still reporting WEP even though you've set it to WPA means you've probably done it wrong. You have to change the config in the SSID Manager and the Encryption Manager to get it to work.
Can you post the configuration file from one of the APs please?
ASKER
I have been using the HTTP interface to make these changes rather than the CLI as my CLI experience is mainly with HP switches, I don't know Cisco that well, particularly APs.
Tried grabbing a screenshot of the HTTP page but it won't grab all in one shot.
I've posted the relevant bits from the output of the startup config file export.
N.B. VLAN 80 (SSID ORAM-GUEST) is successfully running, reporting as WPA2. VLAN 110 one of the ones I'm trying to convert to allow both WEP and WPA2.
I appreciate it's not the best way to do it, but it's a home (not business) environment and I'm trying to manage some of my 'users' that will make a lot of noise if I just make the change over and cut off access via WEP before they have reconfigured devices!! :-)
If I had my work hat on, I'd just change the config as required and tell them to change the client device config (tough!).....
Tried grabbing a screenshot of the HTTP page but it won't grab all in one shot.
I've posted the relevant bits from the output of the startup config file export.
N.B. VLAN 80 (SSID ORAM-GUEST) is successfully running, reporting as WPA2. VLAN 110 one of the ones I'm trying to convert to allow both WEP and WPA2.
I appreciate it's not the best way to do it, but it's a home (not business) environment and I'm trying to manage some of my 'users' that will make a lot of noise if I just make the change over and cut off access via WEP before they have reconfigured devices!! :-)
If I had my work hat on, I'd just change the config as required and tell them to change the client device config (tough!).....
ASKER
Not sure if the attachment made it on to the last comment, so trying again.
1231-wepconfig.txt
1231-wepconfig.txt
You can copy/paste from the HTTP config page - that will let you grab all of it.
So that config shows that you have successfully configured the ORAM-GUEST SSID for WPA. The config is a bit skewed though.
If the client still thinks the SSID is configured for WEP you need to remove its WLAN config for that SSID and let the client detect the correct settings.
So that config shows that you have successfully configured the ORAM-GUEST SSID for WPA. The config is a bit skewed though.
If the client still thinks the SSID is configured for WEP you need to remove its WLAN config for that SSID and let the client detect the correct settings.
ASKER
The one already WPA has always been so. It's the other one that's the problem.
What's skewed about the config?
What's skewed about the config?
Ok.
This is skewed...
That's showing half of the dot11 ssid TEST-VLAN110 config and then it jumps right into a dot11radio0 interface config. There's some missing.
This is skewed...
dot11 ssid TEST-VLAN110
vlan 110
authentication open
encryption vlan 80 mode ciphers aes-ccm tkip
encryption vlan 110 mode ciphers aes-ccm tkip
ssid TEST-VLAN110
That's showing half of the dot11 ssid TEST-VLAN110 config and then it jumps right into a dot11radio0 interface config. There's some missing.
ASKER
This isn't the full config, I just pulled out the bits I thought were relevant.
What were you expecting to see? I'll check & see if its there....
What were you expecting to see? I'll check & see if its there....
Have you read this cisco doc?
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_13_JA/configuration/guide/i12213sc/s13wep.html?referring_site=bodynav
Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management.
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_13_JA/configuration/guide/i12213sc/s13wep.html?referring_site=bodynav
Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management.
ASKER
Thanks - I know what you are saying & how to correct. I will check the doc you linked. Is it still possible to allow clients to use WEP OR WPA (for a short time)?
If I'm reading the document correctly it appears you will have to use WPA in conjunction with the cipher level TKIP you set.
The note in my last comment cleary states they must be used together in order for end users to be able to log onto the ssid.
I haven't read any docs pertaining to the cckm management but it appears to be another option.
When I have some time I will read up on it.
I don't see a issue with the end users being on WEP or WPA until you get things figured out.
The note in my last comment cleary states they must be used together in order for end users to be able to log onto the ssid.
I haven't read any docs pertaining to the cckm management but it appears to be another option.
When I have some time I will read up on it.
I don't see a issue with the end users being on WEP or WPA until you get things figured out.
ASKER
I'll give it a try as soon as able and will report back. Thanks all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the comments on this.
Will go over responses and assign points in due course.
Will go over responses and assign points in due course.