RSN questions

Jouni Malinen jkmaline at
Sun Nov 13 10:17:29 EST 2005

On Sat, Nov 12, 2005 at 09:30:45PM -0700, engage wrote:

> I'm trying to get wpa_supplicant-0.4.5 set up for WPA2. I don't want to use a 
> radius server for this. Anyway, I set up my Linksys WRT54G for WPA2-Personal 
> with TKIP+AES (the other option for WPA2-Personal is AES).

What wireless LAN card and driver (including version) are you using? Do
you need TKIP with some clients? If not, setting the AP to use just CCMP
(AES) would be more secure.

> network={
>         key_mgmt=WPA-PSK
>         proto=WPA2 #i tried using RSN also
>         pairwise=TKIP
>         group=TKIP

Do you have any particular reason to limit to using TKIP for pairwise
even though the AP was configured to allow CCMP?

> It doesn't work. iwconfig shows an AP association and an encryption key. I can 
> ping the router but I can't access my DNS server or web surf. I can't ping 
> anything outside my LAN. The above config file does work with proto=WPA.

Are you saying that you can ping your AP over the wireless connection?
there shouldn't really be much difference in LAN vs. internet access.
Did you look at wpa_supplicant debug log? Did it claim that the
connection was established successfully?

> I've been reading a few howto's but they have me confused and most of them are 
> directed at Enterprise setups (port authentication with a radius server). And 
> the only thing I've seen in the supplicant's README concerning AES is CCMP. 
> If I understand correctly , CCMP is an improvement over AES and is used with 
> a radius server?

CCMP is a mode for using AES. In other words, when some devices talk
about TKIP or AES, they actually mean TKIP or CCMP..

>  I don't see any other options in the README that are 
> appropriate.  Does WPA2 require something more sophisticated than TKIP or 
> AES? The sample config files that I've seen have EAP in them. Like I said, 
> I'm confused as to how to do this.

Your configuration file looked valid, though, I would have used
pairwise=CCMP in that case. If you change the AP to be CCMP (AES) only,
both pairwise and group would be CCMP in wpa_supplicant configuration.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list