WPA2 EAP and TKIP

ios.png

Above example is in Mikrotik

QUESTIONS:

I need input on how to disable "WPA2 EAP" and enable TKIP in cnMaestro and E410

REASON

1. WPA2 EAP need to be disabled in order old iPad can connect successfully

2. TKIP need to be enabled for old Samsung Galaxy Tab can connect

tq

To enabled EAP, please follow the instructions HERE.

To enable TKIP, please enabled telnet or SSH to the radio, and enter these commands via the CLI:

E400-AP(config)# wireless wlan <ID>
E400-AP(config-wlan-<ID>)# allow-tkip
E400-AP(config-wlan-<ID>)# save

1. do you mean EAP only enabled by choosing Enterprise Security?

in other word, its disabled if I am not using Enterprise Security?

2. your way using CLI to enable TKIP

Is that possible to enable TKIP using AP GUI or cnMaestro?

or maybe there is no checkbox to enable TKIP in GUI, that's why you use CLI


@nbctcp wrote:

1. do you mean EAP only enabled by choosing Enterprise Security?

in other word, its disabled if I am not using Enterprise Security?

Correct.

2. your way using CLI to enable TKIP

Is that possible to enable TKIP using AP GUI or cnMaestro?

or maybe there is no checkbox to enable TKIP in GUI, that's why you use CLI

You must use the CLI to enable TKIP... this option is not available in the GUI.



@Eric Ozrelic wrote:

@nbctcp wrote:

1. do you mean EAP only enabled by choosing Enterprise Security?

in other word, its disabled if I am not using Enterprise Security?

Correct.

2. your way using CLI to enable TKIP

Is that possible to enable TKIP using AP GUI or cnMaestro?

or maybe there is no checkbox to enable TKIP in GUI, that's why you use CLI

You must use the CLI to enable TKIP... this option is not available in the GUI.



TKIP is not in the GUI  as the Wi-Fi Alliance recommends vendors not support TKIP configuration on primary device interfaces due to it being a vulnerable protocol: https://www.wi-fi.org/file/technical-note-removal-of-tkip-from-wi-fi-devices

We have support for it, and it is exposed through the CLI for backward compatibility with older clients. This still provides two configuration options:

1. if the AP is used standalone, you can ssh to the AP and make this configuration change.

2. if you are using cnMaestro to manage the AP, you can use device overrides:

wireless wlan 1

allow-tkip

I am following your steps, but "allow-tkip" didn't appear in my E410 config

What's wrong

tq

FIXED

allow-tkip is conflict with 802.11w, so 802.11w State need to be disabled

1 Like

thank you for noting that. We'll update the CLI help (or better, try to handle this internally within the AP so user does not have to tweak it)