• Advisory services
  • Consultations
  • Network and technology policies
  • Network and technology service docs
  • Using Jisc community
  • Network and technology service docs
  • Domain name registration
  • How to sign up
  • Janet Support Manual
  • Janet CSIRT
  • Back-up services
  • eduroam
  • Backup Web Hosting
  • Certificate Service
  • Connection timeline
  • Eligibility
  • Janet 3G Buyer's Guide
  • Janet 3G eduroam interoperablity authentication methods
  • Janet Mail Services
  • Janet Network Charges
  • Janet Reach
  • Janet Videoconferencing Feedback results
  • Primary connections
  • Supporting Business Continuity
  • Business and Community Engagement (BCE) using Janet
  • Cost
  • Interconnect connections
  • Connecting student accommodation
  • Customer-owned routing equipment
  • Obtaining a Janet IP Address Range
  • Terms for the Provision of the Janet Service
  • Upgrading your existing bandwidth and Janet router
  • Fault reporting
  • IP address assignment
  • Janet Aurora
  • Janet Netsight
  • Janet txt
  • Routers
  • Network set-up
  • Guest access
  • Network time service
  • Training
  • Contact
  • Primary Nameserver Service
  • Secondary Nameserver Service
  • Vscene
  • eduroam
  • eduroam(UK) Policy
  • Advisories
  • FAQs
  • Information for users
  • eduroam Visitor Access service (eVA)
  • eduroam Web Sites Accessibility Documents
  • Information for tech admins
  • Information for management and general enquirers
  • Joining eduroam and terms of membership
  • Technical Reference Docs
  • Advisories
  • 2021-04 Advisory: Android 11 configuration issues, geteduroam, server certificates
  • 2020-11 Advisory: CA Certificate Validation on Android devices
  • 2020-11 Advisory: Implications of MAC address randomisation on eduroam(UK) members
  • 2020-07 Advisory: EAP server certificate considerations
  • Advisory: EAP-PWD Vulnerability
  • Advisory: Ending of RADIUS Accounting within eduroam(UK) (May 2016)
  • Advisory: Filtering of Invalid Realms in Auth Requests sent to the NRPS
  • Advisory: FreeRADIUS 2.1.10,11,12 Security
  • Advisory: Impact of change of Certificate Service CA on eduroam Home service providers
  • Advisory: Injection of Operator-Name Attribute at the NRPSs (Oct 2018)
  • Advisory: Injection of Operator-Name attribute (July 2012)
  • Advisory: Measures to Improve Stability of eduroam in UK
  • Advisory: NAPTR records - Improving Efficiency of International Authentication through utilisation of RadSec at National Level
  • Advisory: OpenSSL TLS Heartbleed Vulnerability
  • Advisory: Tier 2 changes and WPA/TKIP obsolescence
  • Advisory: Use at least SHA-1 for RADIUS server certificates (Apr 2014)
  • Advisory: Use of Status-Server (Jul 2015)
  • Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK
  • Advisory: Windows Mobile 8 and certificate verification (Apr 2014)
  • Advisory: eduroam SSID broadcast policy announcement

Advisory: Tier 2 changes and WPA/TKIP obsolescence

Download as PDFDownload as PDF

Contents

Network and technology service docs

September 2010

Executive Summary

With immediate effect, organisations providing a Tier 2 service need not offer WPA; however they may continue to offer WPA if they wish to. Participants should now provide support for WPA2 throughout their eduroam networks.

Important News from the Wi-Fi Alliance

The Wi-Fi Alliance has endorsed a phased plan for the removal of WEP and WPA/TKIP support from products manufactured by its members. Whilst WEP has not been permitted for use with eduroam services since May 2009, the withdrawal of support for TKIP is of current relevance to organisations participating in eduroam(UK).

The Alliance roadmap phases out TKIP in new products over three years beginning in January 2011.

WPA/TKIP is already disallowed in 802.11n. For 802.11 a/b/g products, the first significant milestone in the withdrawal of TKIP is January 2011. From this date, access points will not be permitted to utilise TKIP alone. Mixed modes, in which an access point can accept either TKIP or AES keys, will however still be allowed and this concession will continue until January 2014.

From January 2012, the TKIP-only ban will be extended to apply to all devices, ie. Wi-Fi adapters. So, from this date, all new products must be able to support AES.

January 2013 sees the final disallowance of WEP on access points, followed in January 2014 by the removal from all other devices (Wi-Fi adapters).

From January 2014, mixed mode will be prohibited in access points, effectively banning TKIP in new access point products (and making it pointless to continue TKIP support in Wi-Fi adapters).

An important step towards improving wireless networking security and the move towards WPA2/AES has been made in allowing manufacturers to ship new products that use WPA2 out of the box. Previously the Wi-Fi certification required access points to be set by default to open and the onus was on the purchaser to configure security – WPA/TKIP, mixed mode or WPA2/AES as required.

Implications for eduroam(UK) Participants

Janet welcomes the Wi-Fi Alliance’s intention to withdraw TKIP from its products since we have long recommended the use of WPA2/AES. A useful article has been published by the Wireless Technology Advisory Service describing the problems associated with TKIP:

http://community.jisc.ac.uk/library/advisory-services/wlan-problems-arising-continued-use-wpa-tkip

The withdrawal of TKIP means that eventually users of eduroam networks will have to utilise WPA2/AES. Moreover, there is no good reason for the continuing use of TKIP wherever WPA2/AES is available.

Janet makes the following recommendations:

  1. The requirement for Wi-Fi access points to be able to support WPA2/AES has been in place for some time, so it is unlikely that your wireless LANs will contain TKIP-only equipment. However, to be certain of this, wireless networks should be audited to determine their readiness for WPA2/AES and equipment replacement programmes should be drawn up as necessary.
  2. WPA2/AES should be enabled on all Wi-Fi networks (and eduroam in particular) should there be any that do not already support WPA2/AES.
  3. Users should receive proactive guidance to adopt the highest possible level of security. This is an important component of the transition away from WPA/TKIP. This can include help-desk technical support, documentation and web-based instructions.

Whilst the current base of Wi-Fi equipment will continue to work using TKIP for a considerable period of time, the writing is clearly on the wall. WPA/TKIP has known vulnerabilities (see article above) and there is no good reason for unnecessarily prolonging its use.

Relaxation of eduroam(UK) Service Tier 2 Mandatory Requirement to Support WPA

In light of the Wi-Fi Alliance’s endorsement of their plan to remove WPA/TKIP support and the fact that a number of organisations participating in eduroam(UK) have expressed the strong desire to turn off WPA/TKIP on their eduroam networks, Janet has relaxed the mandatory requirement that eduroam(UK) Tier 2 participants must support WPA on their eduroam networks. With immediate effect, participants need not offer WPA; however they may offer WPA if they wish to but they should provide support for WPA2 on their eduroam networks. A revision to the eduroam(UK) Technical Specification will be announced shortly.

Edward Wincott
eduroam(UK) Service Manager
Janet

WPA
advisory
eduroam
eduroam(UK)
obsolescence
tier 2
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo