New Contributor

Migration to AES/WPA2

We're contemplating upgrading part of campus to include 802.11n, and my understanding is that that requires the use of AES. We currently have two SSIDs providing a/b/g, one which is wide open with a subset of functionality, and the other using TKIP, which offers full connectivity. I cannot eliminate the open SSID, as much as I'd like to. At present, we probably have 30-35% of our wireless users using the TKIP-based SSID. The primary reason is the variations of Windows XP machines, wireless cards and vendors that makes it difficult to automate or simplify the act of migrating to a secured SSID.

We're having a debate about how to go about implementing AES. I see that there are three alternatives:

1) Use of Mixed Mode on the existing SSID, which I'm told is problematic.

2) Keep the existing SSID and create a new SSID that requires AES as its authentication piece. This will require any user who wishes to utilize AES to to switch to the new SSID, but will preserve a user base on the old SSID. Retiring the old SSID might take a while, and this is the precise reason for not liking this option.

3) Modify the existing SSID to require AES. This has the potential of alienating users who cannot utilize AES. Is it a given that any 802.11g card can handle AES, possibly requiring at worst a driver upgrade? If not, this may potentially require some users to upgrade their laptops, cell phones, PDAs, etc.

I'm assuming any 802.11b user is just out of luck as far as AES goes. Am I overlooking anything?
Regular Contributor I

Re: Migration to AES/WPA2

I faced the same issue and decided that #2 would best serve my users, politically speaking. Fortunately we are in transition from older Dell laptops to new Lenovos, so I'm weeding the old scheme out pretty quickly.
Occasional Contributor II

Re: Migration to AES/WPA2

We had the same problem about 6 months ago whether or not to switch from WPA TKIP/AES to WPA2 AES only. It turns out that only about 1% of the people who were connecting to the WPA TKIP/AES SSID actually were only authenticating with TKIP.

I can't remember the command though to see what people were authenticating on. Anyway, we had no problems at all just switching over, absolutely no complaints.

Even if people have the SSID hardcoded in to use TKIP, Windows machines will automatically switch to AES if that is what the SSID requires, unless they are running XP SP2 without the WPA2 patch, which is just a simple download from microsoft.

Bottom line is we had no problems with what you are proposing. We also have an OPEN network in addition to WPA2, which only allows port 80 traffic and students haven't complained.
Guru Elite

802.1x clients


The command to see what encryption or "cipher" your clients are using is "show dot1x supplicant-info list-all". It is detailed in the post here:

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: