WEP help

Jouni Malinen jkmaline at cc.hut.fi
Sat Dec 7 19:46:16 EST 2002


On Thu, Dec 05, 2002 at 01:11:02PM -0500, Doug Yeager wrote:

> My linksys card always wants me to put in my own pass phrase or keys.  I
> don't want it to ask.  I just want the server to assign me one and me to
> accept it like https.

Then you would need to use IEEE 802.1x..

There are some problems with running an AP that would support both WEP
or .1x and guest users without any encryption. One issue that was
already mentioned, is the Privacy bit in beacons. WinXP requires this
bit for .1x and non-WEP stations might require the bit to be off before
they even try to associate.

If .1x is not a suitable method for your environment, you might be able
to something else in a bit more adhoc style. To get rid of the beacon
Privacy bit problem, you would probably need to configure the AP and all
stations to default to some publicly known key. Stations using this key
could then get the "guest privileges" (e.g., limited Internet access or
limited QoS priority/ bandwidth, etc.). Privileged users would first use
the common WEP key to authenticate (using, e.g., .1x, nocatauth, or
whatever) and as part of this process, a dynamic key would be assigned
to them and firewall/QoS configuration would be changed.

Currently, you would need to update firewall/QoS configuration for each
station, but I have considered adding some kind of packet tagging to the
driver code for 802.1x use. This would make it easier to configure
firewall for .1x-authorized and non-authorized (i.e., guest) users.
Current version of hostapd does not allow such behavior, i.e., all
non-authorized data frames will be dropped unconditionally.

I know that this would still require some configuration changes to the
clients using guest mode (i.e., setting up that WEP key). The AP could
be configured to allow non-encrypted frames, but the beacons would still
be sent with Privacy bit. I haven't tested this, but it might be
possible to get at least some non-1x stations associating with the AP
even without changing WEP configuration of the station.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list