Amid the alphabet soup of what is 802.11-standard security, how do you merge support for a mix of client devices that support the range of Wi-Fi security protocols?
Advertisement:

If you are building greenfield wireless LANs from scratch, you have the option to build in the strongest available security by using equipment that supports all the 802.11i-standard Wireless Protected Access-2 (WPA2) capabilities in access points (AP) and laptops. However, you may have to deploy some devices that don’t yet support WPA or WPA2 and, at best, might support dynamic Wired Equivalent Privacy (WEP). You’ll be hard-pressed to find a barcode scanner that supports 802.11i/WPA2, for example.

On the good-news front, wireless IP phones are getting more secure: SpectraLink supports all three protocols, and Cisco wireless IP phones support WPA.

So is WPA2 backward compatible?
Given this, you might wonder if WPA2 is backward-compatible with WPA, and whether WPA is backward-compatible with dynamic and static WEP so that one AP infrastructure could support the gamut of protocols. The answer is technically no, but operationally yes.

You can support all three security mechanisms on a single physical Wi-Fi network. However, client devices must find a protocol match on the APs to which they associate. In other words, WEP has to talk to WEP; it can’t talk to WPA or WPA2.

The way you accommodate this is by divvying up the physical network into separate logical “security networks.” Most of the enterprise-class access point makers support all three protocols at the high end, as well as the ability to create separate service set identifiers (SSID) associated with corresponding virtual LANs (VLANs) to accommodate each protocol. So, in other words, on one physical Wi-Fi network, you could have three logical security networks: a WEP network, a WPA network, and a WPA2 network.

You can add more logical networks for other security reasons; most enterprise-class APs support at least up to 16 SSIDs and VLANs. For example, you may wish to further segregate the network logically based on other criteria, such as putting all voice on one logical network, guest user access on another, and so forth.