Migrate Cisco Aironet 1231 from WEP 128-bit to Cipher

I need to migrate multiple SSIDs on 3 AIronet 1231s on a single site to use AES CCMP + TKIP Cipher rather than the current WEP 128 bit.

I noticed there is an option in Cipher for AES CCMP + TKIP + WEP 128 bit.

Would this (as a temporary measure) allow me to have clients using a mix of encryption standards? I'm looking to make the migration as seamless as possible rather than immediately disabling WEP and cutting off clients until they update security settings.

It's in an environment where the weaknesses of WEP aren't a significant concern due to limited range of the radio signal from the APs, but still want to get migrated away from WEP!

Edit: Update: I tested with a little used SSID changing the encryption settings to just AES CCMP + TKIP and it is still reporting as WEP only. I have checked with one of the SSIDs already using WPA2-Personal and it seems to be set up via SSID Manager rather than Encryption Manager and therefore only allows one method of encryption.
LVL 1
Stuart OramIT Technical Lead (Project Sites)Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Using WEP and WPA and WPA2 is no good idea as an attacker would still only have to defeat WEP, then. But, yes, that would allow your clients to use whatever encryption suits them best.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
This is only intended as an interim measure until all client devices migrate away from WEP, when I will remove support for WEP.
0
Craig BeckCommented:
This is the one thing I'd say never do.  You 'can' do it but only if certain criteria are met and it largely depends on the clients.

The fact that your SSID is still reporting WEP even though you've set it to WPA means you've probably done it wrong.  You have to change the config in the SSID Manager and the Encryption Manager to get it to work.

Can you post the configuration file from one of the APs please?
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Stuart OramIT Technical Lead (Project Sites)Author Commented:
I have been using the HTTP interface to make these changes rather than the CLI as my CLI experience is mainly with HP switches, I don't know Cisco that well, particularly APs.

Tried grabbing a screenshot of the HTTP page but it won't grab all in one shot.

I've posted the relevant bits from the output of the startup config file export.

N.B. VLAN 80 (SSID ORAM-GUEST) is successfully running, reporting as WPA2. VLAN 110 one of the ones I'm trying to convert to allow both WEP and WPA2.

I appreciate it's not the best way to do it, but it's a home (not business) environment and I'm trying to manage some of my 'users' that will make a lot of noise if I just make the change over and cut off access via WEP before they have reconfigured devices!! :-)
If I had my work hat on, I'd just change the config as required and tell them to change the client device config (tough!).....
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
Not sure if the attachment made it on to the last comment, so trying again.
1231-wepconfig.txt
0
Craig BeckCommented:
You can copy/paste from the HTTP config page - that will let you grab all of it.

So that config shows that you have successfully configured the ORAM-GUEST SSID for WPA.  The config is a bit skewed though.

If the client still thinks the SSID is configured for WEP you need to remove its WLAN config for that SSID and let the client detect the correct settings.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
The one already WPA has always been so. It's the other one that's the problem.
What's skewed about the config?
0
Craig BeckCommented:
Ok.

This is skewed...
dot11 ssid TEST-VLAN110
   vlan 110
   authentication open

 encryption vlan 80 mode ciphers aes-ccm tkip

encryption vlan 110 mode ciphers aes-ccm tkip

 ssid TEST-VLAN110

That's showing half of the dot11 ssid TEST-VLAN110 config and then it jumps right into a dot11radio0 interface config.  There's some missing.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
This isn't the full config, I just pulled out the bits I thought were relevant.
What were you expecting to see? I'll check & see if its there....
0
joinaunionCommented:
Have you read this cisco doc?
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_13_JA/configuration/guide/i12213sc/s13wep.html?referring_site=bodynav

Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
Thanks - I know what you are saying & how to correct. I will check the doc you linked. Is it still possible to allow clients to use WEP OR WPA (for a short time)?
0
joinaunionCommented:
If I'm reading the document correctly it appears you will have to use WPA in conjunction with the cipher level TKIP you set.

The note in my last comment cleary states they must be used together in order for end users to be able to log onto the ssid.

I haven't read any docs pertaining to the cckm management but it appears to be another option.

When I have some time I will read up on it.

I don't see a issue with the end users being on WEP or WPA until you get things figured out.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
I'll give it a try as soon as able and will report back. Thanks all.
0
Craig BeckCommented:
I've just labbed it... with static keys you can't mix WPA and WEP.  Mandatory key-management means WEP can't function.

So, you can't mix WEP and WPA in your scenario.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Stuart OramIT Technical Lead (Project Sites)Author Commented:
Thanks for all the comments on this.
Will go over responses and assign points in due course.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.