Wi-Fi Protected Access (WPA)

This topic is to discuss the following lesson:

Hi Rene.

Really great lesson. Hopefully CCNA will not asks too much details of knowledge. There are so many acronyms with funny names: EAP, PEAP (sounds like a mouse…)
Just one small thing. In the conclusion there is a small typo. CGMP should be GCMP off course

Regards,
Robert

1 Like

Hello Robert

Great to hear that the lessons are being helpful for you! Also, thanks for pointing out the typo, I’ll let @ReneMolenaar know…

Laz

Hello,

I’d like to ask for clarification regarding the following question:

  1. The ENCOR OCG shows the following WLC page (sorry about the grainy image, it’s like that in the book):

WPA2 Policy is selected in this example. However, I see that GCMP encryption types can also be selected. What is the reason why this is offered, if only WPA3 can use GCMP, while the other WPA versions can’t?

  1. This table is from the CCNA OCG:

Comparing the two images, I can see why the WLC would offer a WPA+WPA2 combo (because both can use CCMP, while WPA3 can’t), but why is a WPA2+WPA3 combo offered? The CCNA OCG table shows that WPA2 and WPA3 have no common encryption and MIC algorithm. The only things they have in common is that they both support PSK and 802.1x, but by that logic, there would have to be a WPA+WPA3 combo as well, because those two also have them in common. Yet, there is no such combination. The only answer I could think of is that clients can use both, and that one is picked that the client can support.

The ENCOR OCG does say that hybrid mode is possible in case some legacy devices still use WPA, but that still doesn’t answer the question why hybrid mode is only allowed for WPA+WPA2, and not for WPA+WPA3.

Can someone please help me find the answers?

Thank you.
Happy New Year to Everyone! :slight_smile:
Attila

Hello Attila

Happy New Year to you too!

The GCMP encryption option is listed under WPA2 Encryption in the WLC settings because some WPA2 implementations, particularly those used in 802.11ac and 802.11ax (Wi-Fi 5 and Wi-Fi 6) can actually use GCMP. It’s not common, but it is possible, hence its inclusion in the options. However, it’s more commonly used with WPA3, as you’ve rightly pointed out.

No officially, WPA2 should not support GCMP, and according to the Wi-Fi Alliance, which has published the WPA2 and WPA3 standards, WPA2 does not support it. However, because many manufacturers use IEEE standards that do support it, they must indicate this in some way on their interfaces. I believe that this is what happened here, where the GCMP option was placed under the WPA2 encryption section.

Remember, vendors don’t always conform exactly to the standards they deliver, and I believe that this is a case where Cisco has chosen to adhere more to the 802.11ac and ax standards rather than the WPA2 standard.

The “combo” option of any type doesn’t mean that both security definitions are used simultaneously on a client. It simply means that the AP can connect to clients using either WPA2 or WPA3. It’s really providing backward compatibility with older devices that may only support WPA2, while also offering the enhanced security features of WPA3 for newer devices. You’re right, they could have also included a WPA+WPA3 combo. I believe that it is technically possible, but I can’t think of any situation in which you would want to choose such an option. So I believe that it was more of a design choice of the WLC engineers rather than a technical impossibility.

If you’re in an environment where WPA3 is available, you wouldn’t want to use WPA. In fact, it is best practice not to use it ever.

I hope this has been helpful!

Laz

1 Like