Forum

Need some expert Wireless security advice here regarding a white paper I read which described how to configure a specific device to use "WPA AES CCMP+TKIP".

To add some context to the question, a handheld device is being assessed to meet specific security requirements for a client which requires the use of WPAv2 using AES encryption. The whitepaper shows the config of the device, a Cisco 1200 AP and Cisco ACS to get the lot working securely. Now the document claims that it describes how to set up using "WPA AES CCMP+TKIP" which I dont believe you can use from a single device as you either use TKIP or CCMP but not both from the same device right?? It seems to me that whitepaper is setting up the AP to use AES CCMP and TKIP but then device is being configured to use TKIP to connect and not AES.

Come on! Someone tell me im thinking along the right track! I have another additional question. Can AES-CCMP only be supported in hardware, ie: A hardware upgrade is ALWAYS required. Or are there some clients such as the Cisco Secure Service client: http://www.cisco.com/en/US/products/ps7034/products_qanda_item0900aecd80507fd8.shtml which can provide AES encryption using software?

Hi Sdandeker:

An IEEE 802.11 access point may be configured to support up to three unicast cipher suites and one multicast cipher suite simultaneously. WLAN vendors have novel configuration descriptions. What could go wrong?

Second question: When the IEEE 802.11 committee created the CCMP cipher suite based on the AES encryption algorithm they anticipated that existing WLAN hardware would be inadequate and not field upgradable. They expected that new hardware would be deployed that had either stronger general purpose hardware (for instance CPU and RAM) or CCMP application specific integrated circuits (ASICs) or both.

The earliest vendors of CCMP did so by first fielding stronger general purpose hardware that could be field upgraded with CCMP firmware. Later vendors have the CCMP ASIC option.

I hope this helps. Thanks. /criss

Thanks for your reply Chris, but im afraid im still not convinced. I think the best thing to do is to get hold of the device in question, configure it up as the whitepaper describes and do a packet capture to find out what is going on. I can send you the whitepaper if you want to take a look.

I hope it is OK to jump in here. I for one would appreciate the link to the paper if you do not mind. Thanks in advance.

As for your original question, you have to define device. If you are referring to the AP then as Criss mentioned they have the ability to use what Cisco calls WPA2 mixed mode. The client device does not have the ability to run more than just one protocol.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/netqa0900aecd801e3e59.html

As for your second question with reference to the hardware upgrade so one can use CCMP/AES, that is also a published fact from Cisco and most other vendors.

Thanks M/Q. I do not have a link to the paper as it was sent to me by email so if I can post it somehow le me know, alternatively I can email to you?

I know that with the Cisco 1200, you can support multiple security types on a single SSID and this was my point. The whitepaper show the config of the AP supporting "WPA AES CCMP+TKIP" in the Cisco 1200 config window which as you rightly say allows a client to connect either using TKIP or CCMP. The client however does not show any selection of TKIP or AES although the writer of the paper has called the profile "WPA AES+TKIP Radius" ON THE CLIENT.

Now what is being claimed is that that this configuration shows how to configure the device using the Meetinghouse AEGIS client (now owned by Cisco) to use "WPA AES CCMP+TKIP" which meets our clients security standard of WPA2 with AES...... Im not convinced though as we know a client cant do both simultaneously right!?

Hey folks,

In my opinion, you have just hit upon one of the most interesting parts of the WiFi universe, 'vendor descriptions' }:-)

I think the AP in question will negotiate either TKIP or CCMP with the client, not provide support for some crazy, multi-protocol uber-client :)

Thanks for asking the question.

I use the Cisco 1200's as you mentioned. This means the device will support either of the two. You can configure. I have ours setup with both and can use either that the device supports. I was also a little confused and it took me a while to understand. I would recommend reading up on some Cisco whitepapers and actually getting the devices and playing with them and all of the options they have if possible.

Thanks for all the input here. I think people have confirmed what I suspected..... That the vendors configuration paper is very misleading and that the only way to find out what is really being used to encrypt the data is to follow the instructions in the whitepaper and do some protocol analysis to see exactly what encryption is being used. Thanks again.