This topic is to discuss the following lesson:
Hi Rene.
Really great lesson. Hopefully CCNA will not asks too much details of knowledge. There are so many acronyms with funny names: EAP, PEAP (sounds like a mouse…)
Just one small thing. In the conclusion there is a small typo. CGMP should be GCMP off course
Regards,
Robert
1 Like
Hello Robert
Great to hear that the lessons are being helpful for you! Also, thanks for pointing out the typo, I’ll let @ReneMolenaar know…
Laz
Hello,
I’d like to ask for clarification regarding the following question:
- The ENCOR OCG shows the following WLC page (sorry about the grainy image, it’s like that in the book):
WPA2 Policy is selected in this example. However, I see that GCMP encryption types can also be selected. What is the reason why this is offered, if only WPA3 can use GCMP, while the other WPA versions can’t?
- This table is from the CCNA OCG:
Comparing the two images, I can see why the WLC would offer a WPA+WPA2 combo (because both can use CCMP, while WPA3 can’t), but why is a WPA2+WPA3 combo offered? The CCNA OCG table shows that WPA2 and WPA3 have no common encryption and MIC algorithm. The only things they have in common is that they both support PSK and 802.1x, but by that logic, there would have to be a WPA+WPA3 combo as well, because those two also have them in common. Yet, there is no such combination. The only answer I could think of is that clients can use both, and that one is picked that the client can support.
The ENCOR OCG does say that hybrid mode is possible in case some legacy devices still use WPA, but that still doesn’t answer the question why hybrid mode is only allowed for WPA+WPA2, and not for WPA+WPA3.
Can someone please help me find the answers?
Thank you.
Happy New Year to Everyone! 
Attila
Hello Attila
Happy New Year to you too!
The GCMP encryption option is listed under WPA2 Encryption in the WLC settings because some WPA2 implementations, particularly those used in 802.11ac and 802.11ax (Wi-Fi 5 and Wi-Fi 6) can actually use GCMP. It’s not common, but it is possible, hence its inclusion in the options. However, it’s more commonly used with WPA3, as you’ve rightly pointed out.
No officially, WPA2 should not support GCMP, and according to the Wi-Fi Alliance, which has published the WPA2 and WPA3 standards, WPA2 does not support it. However, because many manufacturers use IEEE standards that do support it, they must indicate this in some way on their interfaces. I believe that this is what happened here, where the GCMP option was placed under the WPA2 encryption section.
Remember, vendors don’t always conform exactly to the standards they deliver, and I believe that this is a case where Cisco has chosen to adhere more to the 802.11ac and ax standards rather than the WPA2 standard.
The “combo” option of any type doesn’t mean that both security definitions are used simultaneously on a client. It simply means that the AP can connect to clients using either WPA2 or WPA3. It’s really providing backward compatibility with older devices that may only support WPA2, while also offering the enhanced security features of WPA3 for newer devices. You’re right, they could have also included a WPA+WPA3 combo. I believe that it is technically possible, but I can’t think of any situation in which you would want to choose such an option. So I believe that it was more of a design choice of the WLC engineers rather than a technical impossibility.
If you’re in an environment where WPA3 is available, you wouldn’t want to use WPA. In fact, it is best practice not to use it ever.
I hope this has been helpful!
Laz
1 Like
Hello, everyone.
If I understand the purpose of WPA correctly, whenever we log in to a WLC/AP or even a wireless router, we have to configure which WPA version we’re using
So when a device is manufactured, it goes through testing and based off what its capabilities are (what protocols it supports and so on), its certified as WPA/WPA2/WPA3.
The WPA versions basically define what security protocols and parameters the device supports?
Thank you.
David
Hello David
Yes you are correct. For more about WPA, take a look at this NetworkLessons note. Each WPA version supports various security parameters, however, each version has enhanced its process with improved security aspects.
I hope this has been helpful!
Laz
Hello Laz.
Thank you! I have one more question. Why is WPA called “L2 Security” while something like WebAuth is considered L3 security?
Where do these terms come from? WebAuth is done after you openly authenticate and obtain and IP address while WPA is done on layer 2 before the user even receives an IP address, is that why it’s called L2/L3 security?
David
Hello David
Yes, you are correct. The terms have to do with the OSI layer at which each mechanism operates.
WPA is termed “Layer 2 Security” because it operates at the Data Link layer (Layer 2) of the OSI model, which governs direct communication between devices on a network. It authenticates users and encrypts traffic before a device receives an IP address, as part of the foundational Wi-Fi connection process.
In contrast, WebAuth typically occurs at Layer 3 (Network Layer) or higher, as it requires IP connectivity to redirect users to a captive portal for authentication after basic network access is granted.
I hope this has been helpful!
Laz