1. Home
  2. Cisco Systems
  3. LEAP (or WPA-Ent) and WPA-PSK to work on a single 1200AP???

LEAP (or WPA-Ent) and WPA-PSK to work on a single 1200AP???

Hello.. first and foremost - I'd like to thank everyone in advance for taking the time to read and help with my issue below..

To make the long story short.. I need to get a new Palm LifeDrive PDA type device to connect to our Cisco Wireless network for Internet access.

Palm LifeDrive only support WEP or WPA-PSK. Our Cisco Wlan uses CISCO Leap but we are considering going to WPA-Enterprise.

Is there any way that I can configure the same 1200AP so that it can authenticate both our existing LEAP clients and the new WPA-PSK lifedrive devices?? Would this be possible and or make it easier if we upgrade our LEAP to WPA-Enterprise first??

Thanks again...

Reply to
hax3
Loading thread data ...

hax3 schrieb:

Distinguish between the authentication and the encryption cipher.

You can use different authentication schemes on separate SSIDs.

Depends on the LEAP clients, you can use LEAP as EAP authentication with as you call it WPA Enterprise. For WPA the encryption cypher must be TKIP/Michael (or AES-CCMP). So all your LEAP clients must support TKIP.

TKIP does *not* work with Linux, MacOS and MS-DOS drivers for the 350 series PCMCIA or MiniPCI cards.

TKIP is supported and works with Windows 2000 and XP with 350 cards with fw 5.30.17 or newer TKIP is *not* supported (but works...) on legacy 340 cards with fw

5.30.17 (or unsupported newer)
Reply to
Uli Link

Currently our APs are set to MANDATORY WEP ENCRYPTION and NETWORK EAP Authentication.

Configuring our AP to support WPA-PSK, I believe I will need to set it to CIPHER TKIP with OPEN Authentication and set a WPA PRE-SHARED KEY (is this correct?).

Do I need to setup VLANs? Or can I setup differnet authentication and encryption schemes on different SSIDS withOUT setting up VLANs?

All clients are either W2k or Palm OS (which TKIP is the only option for WPA-PSK).

Reply to
hax3

hax3 schrieb:

Yes.

Yes and No. You can set different authentication per SSID, but without VLANs the encryption cipher is global per radio. You must set the encryption cipher to the largest common denominator.

LEAP with TKIP works with recent drivers and firmware on W2k Don't know for PalmOS.

You can only broadcast one SSID. Some braindead cards/fw/drivers don't work reliable without broadcasted SSID. Never found such problems with Aironet cards.

HTH

Reply to
Uli Link

Thanks Uli for all your help.. I was able to do the following to enable 2 groups access to the same 1200AP..

Set global cipher encryption to TKIP (vs WEP)

Set 2 different SSIDs:

- one SSID set for WPA-Enterprise (ie NETWORK-EAP authentication with Mandatory WPA KEY MANAGEMENT).

- one SSID set for WPA-PSK (ie OPEN Authentication with MANDATORY WPA KEY MANAGEMENT and WPA-PRESHARED KEY pass phrase.

1 issue I have is I can't seem to "hide" (or not-broadcast) both SSID. It automatically broadcasts one - right now it's broadcasting the SSID for WPA-PSK. Not sure how to force hide both SSIDs..

Another issue is if I set the WPA-PSK group for OPEN Authentication with MAC, it erases the WPA-PSK pass phrase - do you know if it's possible to do MAC address authentication AND WPA PreShared Key Passphrase?

THanks

Uli L> hax3 schrieb:

Reply to
hax3

hax3 schrieb:

That's easy (if you know, how to) Security -> SSID Manager -> Global Radio/SSID Properties -> Select as Set Guest Mode SSID.

I think it is possible via CLI to add the MAC authentication method afterwards. It worked with IOS 12.2(15)XR2

But if you have the strong authentication of WPA you are not raise your security level by adding the (very) weak MAC authentication.

With WPA MAC auth doesn't really make sense anymore.

Reply to
Uli Link

FYI we do not support MAC authentication + WPA-PSK on the same SSID.

Aaron

Reply to
Aaron Leonard

Hi Uli,

I double-checked the Global SSID Manager and the SET GUEST MODE SSID

*IS* set to but one of the SSID is still being broadcast..
Reply to
hax3

Thanks for the info.. I agree with Uli - MAC authentication is weak.. but it still good to know this info than try to waste more time trying to get it to work..

Reply to
hax3

hax3 schrieb:

Did you downgrade from 12.3(4)JA to something earlier ?

The location where the configuration of the SSID lives has changed. After a downgrade back to 12.3(2)JA5 the SSID worked, but I wasn't able to change anything through the Browser. Deleted the (global) SSID via CLI and redefined it under the "interface Dot11Radio 0".

Else post your "sh run" without keys/passwords.

Disabling the SSID broadcast always worked for me in all configuration with every IOS I used on my 1200s and 350s.

Another common misunderstanding: Some of the better wireless sniffers show the SSID which is in clear in every association response to a station. So you can find out easily the SSID by a pure passive scan even if it is suppressed in the AP's beacons. It's a little bit like having it written in large red letters: "I'm invisible". At least for those who *want* to find a WLAN.

Reply to
Uli Link

Well looks like I wasn't thinking clearly... the ssid is showing up under "available networks" because i've created a profile for it in the client software. If I delete the profile, the SSID is removed from the available networks and it just shows .

Thanks Uli for your time and help.. much appreciated!

Uli L> hax3 schrieb:

Reply to
hax3

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.