Re: 802.1x and PEAP

[<balinsky () cisco com>]

In-Reply-To: <EF8CB44BF111D81191FF00065BFEF45C191D03@netsoldns01>

Actually, Cisco supports TKIP as well. Cisco originally came out with their own version when they needed to get a 
Fluhrer-Mantin-Shamir countermeasure into customers' hands quickly, before the standards body was ready. That is the 
Cisco algorithm we now call "CKIP." But, Cisco also supports the standard version of TKIP, and recommends it, because 
it is stronger and it is interoperable. Thus, I believe your concerns about non-compatibility are now obsolete. 

I found this documented at:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184aca.html
Table 1 of this link shows when CKIP, TKIP, and WPA were released:
http://www.cisco.com/en/US/products/hw/wireless/ps4555/prod_release_note09186a00801d7255.html#84464

There is probably a more concise link somewhere (I'm not in the wirless networking group), but I think those covers it.

Thanks,
Andy Balinsky
Network Security Engineer
Cisco Systems

Shankar wrote:
> The algorithms used on the "Cisco Access Points" for TKIP & MIC are
> proprietary to Cisco - pre-standard implementations 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------