A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Wednesday, July 21, 2010

7921: can you do WPA2?

You may have read different stories about the 7921 phone and its support for "strong encryption", that is AES-CCMP in a WPA2 logic. This is what the issue is:
The 7921 phone, until firmware 1.3(4), does support CCKM, WPA and WPA2, but not in any combination of those!
- WPA (TKIP) and CCKM work fine
- WPA (AES) and CCKM work fine, but this is bad practice (so that's a no no, unless you are specifically asked for this awful combination, coz after all, it's a lab, not real life)
- WPA2 (TKIP) and CCKM work fine, but this too is ugly, so another no no, unless they really insist.
- WPA2 (AES) and CCKM do NOT work together. What happens is that the phone does not take the roaming process well for the AES encrypted keys, and forces a full reauthentication.
In other words, you usually want to enable CCKM with Voice, because CCKM caches the key and allows for faster roaming (which is good for voice). But this does not work with the 7921 and a firmware older than 1.3(4).

So what should you do? Use WPA (TKIP) and CCKM, or WPA2 (AES) without CCKM? Well, all pushes you to use WPA (TKIP) with CCKM. The reason is that there is no reasonably usable  attack against WPA/TKIP encryption (provided you use 802.1X authentication, and not PSK), so TKIP is rather secure, and CCKM is definitely a plus for voice.

But all this is is you use a firmware older than 1.3(4). On 1.3(4) and later, you would prefer WPA2(AES) with CCKM, which is a supported combination on 1.3(4) and later. This firmware was released in its stable form at the end of May 2010. The CCIE W lab started a year before. So unless the hardware was updated in the lab (the lab blueprint does not specify a7921 specific firmware version), you will get firmware 1.2.1 and will have to go for the WPA/CCKM combination, if you have voice, 7921s and a requirement for strong encryption... but it may be worth checking!
On your phone, press the down arrow to access the tool box, then go to "6, status", then "4.Firmware version" to check the App Load ID, which will display the firmware with a value in the form CP7921G-1.2.1.LOADS.

5 comments:

  1. Real world and lab related question: what about WPA2 + PKC? Is this supported on the 7921, and does it provides fast roaming comparable to WPA + CCKM?

    ReplyDelete
  2. I think I can answer my own question. In this thread it's stated PKC isn't supported and won't be:
    https://cisco-support.hosted.jivesoftware.com/message/1313958
    Also the 7921G Deployment Guide doesn't mention PKC.

    ReplyDelete
  3. A wonderful blog ever seen. I appreciate your way of expressing..

    Netgear Router Tehnical Support

    ReplyDelete
  4. Now, it is so easy to resolve Yahoo account errors and password troubles, Yahoo technical support will let you handle many hindrances in no time. Contact support executives available Customer care for Yahoo and cope with unlimited hindrances in just a while.

    ReplyDelete