Forum

Recently just deployed a hospital network using a Cisco WLAN Ctrl Solution with Funk Odyssey supplicants with SBR. Used WPA2 (802.1x/PEAP-EAP-MS-CHAPv2) and I believe we put it in compatibility mode for the main SSID/VLAN for the mobile hostpital users due to some mixture of supplicants/compatibility. (unfortunately I can't verify our settings right now) I noticed even though we had a full AES compatible WLAN NIC (Cisco CB21AG) as the *only* associated client to the BSS it was using AES as the pairwise cipher (good) and TKIP as the groupwise cipher (interesting). TKIP as the groupwise cipher has made me think a bit...

I'm assuming we had this in compatibility mode, which is enabling the groupwise cipher as TKIP for compatibility reasons. However, the fact that the BSS had only one client associated to it and it was still at TKIP is interesting. Typically, I've found the default behavior favors the stronger method first similarly found in the VPN/IPSec world and then steps down.

Do any of you recall in the standards (or your interpretation of them) that this is left up to the vendor?

I could have looked this up myself, but I thought it was a great discussion item to post and get us all thinking (and learning).

Thanks!

Shawn