6 Replies Latest reply: Apr 19, 2009 2:03 PM by Adrian Soh RSS

    The real difference between WPA and WPA2

    Jared

       

      ok, so I am going through some material for the ONT and finding sections about wireless and wireless security. In general, I had the idea that the main difference between WPA & WPA2 was the encryption used. WPA2 uses AES and WPA uses TKIP. So, on a wireless controller, there are settings that state that you can activate TKIP for WPA2 and AES for WPA. So if you can use either encryption method on either WPA version, then I am thinking that the fact that AES is used it not a defining factor of the differences between WPA and WPA2.

       

       

      So, that being said, what is real difference between the two WPA versions?

       

       

         
        • 1. Re: The real difference between WPA and WPA2
          Scott Morris - CCDE/4xCCIE/2xJNCIE

          The short anwer... WPA was pre-standard. WPA2 is also known as 802.11i or the actual standard for wireless security.

           

           

          WPA2 uses CCMP instead of TKIP as a message authenticator. (Less likely to be hacked)

           

           

          Both allow AES (well, WPA allows it, I think WPA2 requires it) and a variety of EAP methods for exchanging credentials.

           

           

          HTH,

           

           

          Scott

          • 2. Re: The real difference between WPA and WPA2
            Jared

             

            I had the same understanding... but if WPA2 requires AES, then why does a Cisco WLC have controls to allow TKIP for WPA2?

             

             

            • 3. Re: The real difference between WPA and WPA2
              GSauls

               

              Hi Jared,

               

               

              Scott is right on the short answer.

               

               

              Let me break it down in this manner for you.

               

               

              WPA Personal- Authentication method is PSK, Encrytion Method is TKIP only, Cipher method is RC4 only

               

               

              WPA Enterprise - Authentication method is 801.2 X/EAP with TKIP and RC4 only.

               

               

              WPA2 Personal 802.11i is PSK with CCMP as default and TKIP as optional, while the Cipher is AES as default and RC4 as optional.

               

               

              WPA2 Enterprise is 801.1 X/EAP with CCMP as default and TKIP as optional, while the Cipher is AES as default and RC4 as optional.

               

               

              I hope this helps explain why?

               

               

              Grant

               

               

              • 4. Re: The real difference between WPA and WPA2
                Jared

                 

                Grant,

                 

                 

                I guess the thing that is confusing is why would cisco allow you to use WPA2 and not use the AES cipher that the standard requires. I can understand wanting to use TKIP for older clients that may not have the driver update to support AES. But to be able to configure a WLAN with WPA2 using TKIP makes no sense because it isn't WPA2 if it is using TKIP.

                 

                 

                • 5. Re: The real difference between WPA and WPA2
                  GSauls

                   

                  Hi Jared,

                   

                   

                  i find it stranger that you would not be allowed to configure WAP2 with AES.

                   

                   

                  What cisco equipment are using? That might give us a clue as to why.

                   

                   

                  Grant

                   

                   

                  • 6. Re: The real difference between WPA and WPA2
                    Adrian Soh

                    Hi,

                     

                    Thanks to marketing, WPA version 1 and 2 definitions have been blurred and needless to say caused difficulty.  WPAv1 was defined (2001 i think) as an immediate and interim solution to 802.11i that "enhanced security" using TKIP.  WPAv2 aka 802.11i aka Robust Security Network (RSN) were finalised in 2004 (i think) that enhanced security again using AES with backwards compatibility with WPAv1.  You should see some Chinese translations into English, and the translations regarding 802.11 draft-N.  Boasting 300mb/s using optional 1 or 2 antenna?? come on!

                     

                    So, technically WPAv2 doesn't understand TKIP but Cisco has allowed this configuration on those WLCs.  You'll notice when you flick WPA TKIP/AES and WPAv2 TKIP/AES on, clients cannot connect to those Virtual APs because its confused!

                     

                    However because of Cisco's "additional features", the integration with Windows networks running Server 2003 Standard/Enterprise as Domain Controller has been much easier!!!  You can configure WLC WPA/AES and use group policy to push the configurations to Windows wireless clients (Server 2003 doesn't understand WPAv2).

                     

                    So in fact, THANK YOU CISCO!!

                     

                    Thanks

                    Adrian