LEAP (or WPA-Ent) and WPA-PSK to work on a single 1200AP???

Discussion in 'Cisco' started by hax3, Sep 26, 2005.

  1. hax3

    hax3 Guest

    Hello.. first and foremost - I'd like to thank everyone in advance for
    taking the time to read and help with my issue below..

    To make the long story short.. I need to get a new Palm LifeDrive PDA
    type device to connect to our Cisco Wireless network for Internet
    access.

    Palm LifeDrive only support WEP or WPA-PSK. Our Cisco Wlan uses CISCO
    Leap but we are considering going to WPA-Enterprise.

    Is there any way that I can configure the same 1200AP so that it can
    authenticate both our existing LEAP clients and the new WPA-PSK
    lifedrive devices?? Would this be possible and or make it easier if we
    upgrade our LEAP to WPA-Enterprise first??


    Thanks again...
    hax3, Sep 26, 2005
    #1
    1. Advertising

  2. hax3

    Uli Link Guest

    hax3 schrieb:
    > Hello.. first and foremost - I'd like to thank everyone in advance for
    > taking the time to read and help with my issue below..
    >
    > To make the long story short.. I need to get a new Palm LifeDrive PDA
    > type device to connect to our Cisco Wireless network for Internet
    > access.
    >
    > Palm LifeDrive only support WEP or WPA-PSK. Our Cisco Wlan uses CISCO
    > Leap but we are considering going to WPA-Enterprise.


    Distinguish between the authentication and the encryption cipher.

    > Is there any way that I can configure the same 1200AP so that it can
    > authenticate both our existing LEAP clients and the new WPA-PSK
    > lifedrive devices??


    You can use different authentication schemes on separate SSIDs.

    > Would this be possible and or make it easier if we
    > upgrade our LEAP to WPA-Enterprise first??


    Depends on the LEAP clients,
    you can use LEAP as EAP authentication with as you call it WPA Enterprise.
    For WPA the encryption cypher must be TKIP/Michael (or AES-CCMP).
    So all your LEAP clients must support TKIP.

    TKIP does *not* work with Linux, MacOS and MS-DOS drivers for the 350
    series PCMCIA or MiniPCI cards.

    TKIP is supported and works with Windows 2000 and XP with 350 cards with
    fw 5.30.17 or newer
    TKIP is *not* supported (but works...) on legacy 340 cards with fw
    5.30.17 (or unsupported newer)

    --
    Uli
    Uli Link, Sep 26, 2005
    #2
    1. Advertising

  3. hax3

    hax3 Guest

    Uli Link wrote:
    > hax3 schrieb:
    > > Hello.. first and foremost - I'd like to thank everyone in advance for
    > > taking the time to read and help with my issue below..
    > >
    > > To make the long story short.. I need to get a new Palm LifeDrive PDA
    > > type device to connect to our Cisco Wireless network for Internet
    > > access.
    > >
    > > Palm LifeDrive only support WEP or WPA-PSK. Our Cisco Wlan uses CISCO
    > > Leap but we are considering going to WPA-Enterprise.

    >
    > Distinguish between the authentication and the encryption cipher.


    Currently our APs are set to MANDATORY WEP ENCRYPTION and NETWORK EAP
    Authentication.

    Configuring our AP to support WPA-PSK, I believe I will need to set it
    to CIPHER TKIP with OPEN Authentication and set a WPA PRE-SHARED KEY
    (is this correct?).

    >
    > > Is there any way that I can configure the same 1200AP so that it can
    > > authenticate both our existing LEAP clients and the new WPA-PSK
    > > lifedrive devices??

    >
    > You can use different authentication schemes on separate SSIDs.


    Do I need to setup VLANs? Or can I setup differnet authentication and
    encryption schemes on different SSIDS withOUT setting up VLANs?

    >
    > > Would this be possible and or make it easier if we
    > > upgrade our LEAP to WPA-Enterprise first??

    >
    > Depends on the LEAP clients,
    > you can use LEAP as EAP authentication with as you call it WPA Enterprise.
    > For WPA the encryption cypher must be TKIP/Michael (or AES-CCMP).
    > So all your LEAP clients must support TKIP.
    >
    > TKIP does *not* work with Linux, MacOS and MS-DOS drivers for the 350
    > series PCMCIA or MiniPCI cards.
    >
    > TKIP is supported and works with Windows 2000 and XP with 350 cards with
    > fw 5.30.17 or newer
    > TKIP is *not* supported (but works...) on legacy 340 cards with fw
    > 5.30.17 (or unsupported newer)
    >


    All clients are either W2k or Palm OS (which TKIP is the only option
    for WPA-PSK).

    > --
    > Uli
    hax3, Sep 27, 2005
    #3
  4. hax3

    Uli Link Guest

    hax3 schrieb:


    >
    > Configuring our AP to support WPA-PSK, I believe I will need to set it
    > to CIPHER TKIP with OPEN Authentication and set a WPA PRE-SHARED KEY
    > (is this correct?).


    Yes.

    >
    > Do I need to setup VLANs? Or can I setup differnet authentication and
    > encryption schemes on different SSIDS withOUT setting up VLANs?
    >


    Yes and No.
    You can set different authentication per SSID, but without VLANs the
    encryption cipher is global per radio.
    You must set the encryption cipher to the largest common denominator.

    > All clients are either W2k or Palm OS (which TKIP is the only option
    > for WPA-PSK).


    LEAP with TKIP works with recent drivers and firmware on W2k
    Don't know for PalmOS.

    You can only broadcast one SSID. Some braindead cards/fw/drivers don't
    work reliable without broadcasted SSID.
    Never found such problems with Aironet cards.


    HTH

    --
    Uli
    Uli Link, Sep 27, 2005
    #4
  5. hax3

    hax3 Guest

    Thanks Uli for all your help.. I was able to do the following to
    enable 2 groups access to the same 1200AP..

    Set global cipher encryption to TKIP (vs WEP)

    Set 2 different SSIDs:

    - one SSID set for WPA-Enterprise (ie NETWORK-EAP authentication with
    Mandatory WPA KEY MANAGEMENT).

    - one SSID set for WPA-PSK (ie OPEN Authentication with MANDATORY WPA
    KEY MANAGEMENT and WPA-PRESHARED KEY pass phrase.

    1 issue I have is I can't seem to "hide" (or not-broadcast) both SSID.
    It automatically broadcasts one - right now it's broadcasting the SSID
    for WPA-PSK. Not sure how to force hide both SSIDs..

    Another issue is if I set the WPA-PSK group for OPEN Authentication
    with MAC, it erases the WPA-PSK pass phrase - do you know if it's
    possible to do MAC address authentication AND WPA PreShared Key
    Passphrase?

    THanks


    Uli Link wrote:
    > hax3 schrieb:
    >
    >
    > >
    > > Configuring our AP to support WPA-PSK, I believe I will need to set it
    > > to CIPHER TKIP with OPEN Authentication and set a WPA PRE-SHARED KEY
    > > (is this correct?).

    >
    > Yes.
    >
    > >
    > > Do I need to setup VLANs? Or can I setup differnet authentication and
    > > encryption schemes on different SSIDS withOUT setting up VLANs?
    > >

    >
    > Yes and No.
    > You can set different authentication per SSID, but without VLANs the
    > encryption cipher is global per radio.
    > You must set the encryption cipher to the largest common denominator.
    >
    > > All clients are either W2k or Palm OS (which TKIP is the only option
    > > for WPA-PSK).

    >
    > LEAP with TKIP works with recent drivers and firmware on W2k
    > Don't know for PalmOS.
    >
    > You can only broadcast one SSID. Some braindead cards/fw/drivers don't
    > work reliable without broadcasted SSID.
    > Never found such problems with Aironet cards.
    >
    >
    > HTH
    >
    > --
    > Uli
    hax3, Sep 28, 2005
    #5
  6. hax3

    Uli Link Guest

    hax3 schrieb:
    > Thanks Uli for all your help.. I was able to do the following to
    > enable 2 groups access to the same 1200AP..
    >
    > Set global cipher encryption to TKIP (vs WEP)
    >
    > Set 2 different SSIDs:
    >
    > - one SSID set for WPA-Enterprise (ie NETWORK-EAP authentication with
    > Mandatory WPA KEY MANAGEMENT).
    >
    > - one SSID set for WPA-PSK (ie OPEN Authentication with MANDATORY WPA
    > KEY MANAGEMENT and WPA-PRESHARED KEY pass phrase.
    >
    > 1 issue I have is I can't seem to "hide" (or not-broadcast) both SSID.
    > It automatically broadcasts one - right now it's broadcasting the SSID
    > for WPA-PSK. Not sure how to force hide both SSIDs..


    That's easy (if you know, how to)
    Security -> SSID Manager -> Global Radio/SSID Properties -> Select
    <None> as Set Guest Mode SSID.


    > Another issue is if I set the WPA-PSK group for OPEN Authentication
    > with MAC, it erases the WPA-PSK pass phrase - do you know if it's
    > possible to do MAC address authentication AND WPA PreShared Key
    > Passphrase?


    I think it is possible via CLI to add the MAC authentication method
    afterwards.
    It worked with IOS 12.2(15)XR2

    But if you have the strong authentication of WPA you are not raise your
    security level by adding the (very) weak MAC authentication.

    With WPA MAC auth doesn't really make sense anymore.

    --
    Uli
    Uli Link, Sep 28, 2005
    #6
  7. FYI we do not support MAC authentication + WPA-PSK on the
    same SSID.

    Aaron

    ---

    CSCef02795 AP1200: Ignores MAc-Authentication when WPA-PSK is enabled
    Integrated in 12.3(07)JA 12.3(04)JA 12.3(02)JA


    Release-note: Modified 050215 by pnhan

    Release-Notes
    =============
    In 12.2(15)JA, configuring MAC authentication with WPA does not work.
    MAC Authentication passes everyone through.
    In older version 12.2(13)JA1 this worked.

    Workaround is to use the older IOS.

    There is no software fix to support this in 12.3(2)JA. The fix in 12.3(2)JA
    is an error message stating MAC authentication and WPA PSK is not supported:

    Router(config-if-ssid)#wpa-psk ascii cisco123
    Error: WPA-PSK not supported with MAC address authentication configured

    Router(config-if-ssid)#

    ---


    ~ > Another issue is if I set the WPA-PSK group for OPEN Authentication
    ~ > with MAC, it erases the WPA-PSK pass phrase - do you know if it's
    ~ > possible to do MAC address authentication AND WPA PreShared Key
    ~ > Passphrase?
    ~
    ~ I think it is possible via CLI to add the MAC authentication method
    ~ afterwards.
    ~ It worked with IOS 12.2(15)XR2
    ~
    ~ But if you have the strong authentication of WPA you are not raise your
    ~ security level by adding the (very) weak MAC authentication.
    ~
    ~ With WPA MAC auth doesn't really make sense anymore.
    Aaron Leonard, Sep 29, 2005
    #7
  8. hax3

    hax3 Guest

    Hi Uli,

    I double-checked the Global SSID Manager and the SET GUEST MODE SSID
    *IS* set to <NONE> but one of the SSID is still being broadcast..
    hax3, Sep 30, 2005
    #8
  9. hax3

    hax3 Guest

    Thanks for the info.. I agree with Uli - MAC authentication is weak..
    but it still good to know this info than try to waste more time trying
    to get it to work..
    hax3, Sep 30, 2005
    #9
  10. hax3

    Uli Link Guest

    hax3 schrieb:

    > I double-checked the Global SSID Manager and the SET GUEST MODE SSID
    > *IS* set to <NONE> but one of the SSID is still being broadcast..


    Did you downgrade from 12.3(4)JA to something earlier ?

    The location where the configuration of the SSID lives has changed.
    After a downgrade back to 12.3(2)JA5 the SSID worked, but I wasn't able
    to change anything through the Browser.
    Deleted the (global) SSID via CLI and redefined it under the "interface
    Dot11Radio 0".

    Else post your "sh run" without keys/passwords.

    Disabling the SSID broadcast always worked for me in all configuration
    with every IOS I used on my 1200s and 350s.

    Another common misunderstanding:
    Some of the better wireless sniffers show the SSID which is in clear in
    every association response to a station. So you can find out easily the
    SSID by a pure passive scan even if it is suppressed in the AP's beacons.
    It's a little bit like having it written in large red letters: "I'm
    invisible". At least for those who *want* to find a WLAN.

    --
    Uli
    Uli Link, Sep 30, 2005
    #10
  11. hax3

    hax3 Guest

    Well looks like I wasn't thinking clearly... the ssid is showing up
    under "available networks" because i've created a profile for it in the
    client software. If I delete the profile, the SSID is removed from the
    available networks and it just shows <SSID not broadcast>.

    Thanks Uli for your time and help.. much appreciated!


    Uli Link wrote:
    > hax3 schrieb:
    >
    > > I double-checked the Global SSID Manager and the SET GUEST MODE SSID
    > > *IS* set to <NONE> but one of the SSID is still being broadcast..

    >
    > Did you downgrade from 12.3(4)JA to something earlier ?
    >
    > The location where the configuration of the SSID lives has changed.
    > After a downgrade back to 12.3(2)JA5 the SSID worked, but I wasn't able
    > to change anything through the Browser.
    > Deleted the (global) SSID via CLI and redefined it under the "interface
    > Dot11Radio 0".
    >
    > Else post your "sh run" without keys/passwords.
    >
    > Disabling the SSID broadcast always worked for me in all configuration
    > with every IOS I used on my 1200s and 350s.
    >
    > Another common misunderstanding:
    > Some of the better wireless sniffers show the SSID which is in clear in
    > every association response to a station. So you can find out easily the
    > SSID by a pure passive scan even if it is suppressed in the AP's beacons.
    > It's a little bit like having it written in large red letters: "I'm
    > invisible". At least for those who *want* to find a WLAN.
    >
    > --
    > Uli
    hax3, Oct 5, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R.H.
    Replies:
    0
    Views:
    5,158
  2. =?Utf-8?B?RGVuaXMgSG9sdGthbXA=?=

    WPA-PSK Group Policy: No field to enter the PSK

    =?Utf-8?B?RGVuaXMgSG9sdGthbXA=?=, Sep 16, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,203
    =?Utf-8?B?RGVuaXMgSG9sdGthbXA=?=
    Sep 16, 2005
  3. =?Utf-8?B?c2xhbWI=?=

    PTK Rotation in WPA-PSK and WPA2-PSK

    =?Utf-8?B?c2xhbWI=?=, Sep 22, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,884
    =?Utf-8?B?c2xhbWI=?=
    Sep 22, 2005
  4. Replies:
    1
    Views:
    580
    Uli Link
    Apr 2, 2005
  5. Dave Cox

    WPA-PSK & WPA

    Dave Cox, Feb 12, 2006, in forum: Wireless Networking
    Replies:
    4
    Views:
    711
    Dave Cox
    Feb 15, 2006
Loading...

Share This Page