Community discussions

 
lcpwc
just joined
Topic Author
Posts: 9
Joined: Thu Apr 26, 2018 1:49 pm

Use AES-CCM only (unicast & group ciphers)

Tue May 08, 2018 4:49 pm

Hello,
I'd like to enforce security on my wireless network (about 130 APs) to only use WPA2 + AES.
I searched both the forum and wiki but wasn't unable to find out anything about forcing only AES also for GROUP CIPHERS.

Based on standard, "modern" (after 2006...) devices must support WPA2 which REQUIRE AES.
So a "TKIP-free" wifi network should work for most devices.
Are you aware of any issues in forcing AES for group ciphers?

Thanks.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 883
Joined: Sun Oct 01, 2006 11:44 pm

Re: Use AES-CCM only (unicast & group ciphers)

Tue May 08, 2018 9:48 pm

No one should be considering TKIP in 2018 for either unicast or group ciphers. It's trivially broken and AES has been part of the spec since 2004. Any device not supporting AES today belongs in the trash.
 
lcpwc
just joined
Topic Author
Posts: 9
Joined: Thu Apr 26, 2018 1:49 pm

Re: Use AES-CCM only (unicast & group ciphers)

Tue May 08, 2018 11:39 pm

Thanks for reply, was also my idea.
Glad to see someone else agree.
Bye
 
scampbell
Trainer
Trainer
Posts: 446
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Use AES-CCM only (unicast & group ciphers)

Wed May 09, 2018 1:37 am

In addition to what R1CH says, TKIP and/or WPA (not WPA2) if used, will drop performance on Wireless N networks to no more than 54Mbps - if we see TKIP and/or WPA-PSK anywhere we disable it :-)

If a device requires TKIP that represents a sales opportunity to replace the device .....

Here is an interesting article: https://www.howtogeek.com/204697/wi-fi- ... p-or-both/
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
lcpwc
just joined
Topic Author
Posts: 9
Joined: Thu Apr 26, 2018 1:49 pm

Re: Use AES-CCM only (unicast & group ciphers)

Wed May 09, 2018 9:44 am

Hello Scampbell,
thanks for your contribution to this topic.

I remeber I had some issues years ago (perhaps around 2011) while playing with unicast/group ciphers but cannot recall the exact issue.
BTW, it was my first Mikrotik config so probably I did a mistake somewhere or I was using obsolete hardware...

OK, it's time to phase out TKIP.

Have a nice day

Who is online

Users browsing this forum: No registered users and 14 guests