Does higher WLAN security / encryption slow down that same WLAN traffic?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
We're using Extreme AP7532's with a VX9000 controller in a great big 800,000 sq ft warehouse setting. This building has various types of conveyors, racking filled with boxes & product and we're using a voice controlled pick & pack system.

The vendor of this voice system is complaining that their system is running slow and having delays receiving data from the server because we're using WPA2-Enterprise security. They've recommended that we downgrade it to WPA2-personal, saying that higher security slows down a network.

I've tried researching and google searching this, but all I find is articles relating to home wifi and which is the best wifi security to use. Nothing ever mentions anything about 'higher security slows down wifi traffic'.

Has anyone heard of such a thing?

Photo of Jacob Airov

Jacob Airov

  • 308 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Timo


  • 3,210 Points 3k badge 2x thumb
The speed of WPA 2 PSK and 802.1x is the same.

For the encryption we need a MSK. For PSK this is the PSK converted to a 64 HEX value. For 802.11x the MSK is delivered from the AAA, also 64 HEX value.

From the encryption view, AES need more power than TKIP. But if you compare PSK and 802.11x, no different.

Only the initial connection needs more time, because you need to authenticate again the AAA. After this you have 802.11r (Fast Transition) that supports very fast roaming.

For a easy test, you can check the performance at one AP. If you don't roam and it won't work, it's not a problems from WPA2 802.1x.
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 5,638 Points 5k badge 2x thumb
Hi Jacob,

As Timo already mentioned - encrypted traffic has no significant difference.

However, we are most probably talking about hand-off which might be an issue for device not supporting 802.11r. While using 802.1x / EAP you may end up with up to 700 ms and certain VoWiFi defices require less than 150 ms - case of WPA/2-PSK

Taken from CWSP-204 study book - "Roaming and Dynamic keys"

Photo of Bin

Bin, Employee

  • 5,372 Points 5k badge 2x thumb
Hi Jacob,  also agree it .
Even, there is no significant traffic between non-encrypted and encrypted traffic.
Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
which voice picking solution are you using ?
Photo of Jacob Airov

Jacob Airov

  • 308 Points 250 badge 2x thumb
We're using Lucas.
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Hi Jacob,
I advice to take a look at drops on aps, signal quality.
Ensure that has enabled on wlan profile:
wpa-wpa2 opp-pmk-caching
wpa-wpa2 pmk-caching
and you have virtual controller or controller.

And you can take a test how many time take a radius authentication procedure.

time-it service radius test secret username password

This amount of time spended only on a first connectiion.


Photo of Phil storey

Phil storey

  • 1,254 Points 1k badge 2x thumb
Hi,  what you could do as a test is create  an ACL for the VP units or one at least, then create a test wifi using wpa-tkip, map the test network to your APs then test, I know a few years ago the vocollect units did not handle wpa very well, so we had to use wep-128 and an ACL, ( at the time they used symbol wifi cards so we could enable keyguard as well. Like I say it was along time ago. Do Lucas give any recommendations for the wlan settings or even the VP units themselves i.e firmware updates etc, How is the wlan setup ? are you using smart RF ? I recall a job where we supplied the PDT / MDT units, And the performance was terrible, It was another supplier that installed the wifi kit, which was cisco wlan controller, The site was huge and the AP's were all mounted high above the racking. The site was sporting goods. the wlan controller was using the cisco smartRF , as the AP's had clear site of each other they were backing the power off, they were also over 15m in the air with standard rubber duck antenna., anyway it was suggested that the smart RF was turned off and the power adjusted manually,( site survey )  and eventually we sorted it,