wpa_supplicant fails and reports weird AP address in association
Dan Williams
dcbw at redhat.com
Mon Dec 18 14:40:20 EST 2006
On Mon, 2006-12-18 at 14:18 -0500, Bryan Kadzban wrote:
> Sergio Callegari wrote:
> > on the linksys I chose /either/ no security /or/ wep /or/ wpa. In
> > other terms, WEP and WPA appear as alternatives.
>
> They are.
>
> > On the Hamlet box I have a two step setup. First I chose whether to
> > have basic cryptography or not (and this can be "open", "shared" or
> > "both, with the possibility of setting a WEP key)...
>
> Well... not exactly.
>
> Open and shared refer to the 802.11 authentication, which happens just
> before association. The "normal" WPA or WPA2 authentication, OTOH,
> happens after association. Basically, never use shared authentication.
>
> (Shared requires a WEP key. It also informs everyone sniffing your
> association frames of that WEP key; it's *extremely* insecure. I don't
> know how "both" would work, but AFAIK, WPA and WPA2 both require open.)
>
> The open/shared choice should only be made if you configure the AP for
> WEP.
>
> > then on another setup stage I chose whether to have WPA-PSK or not,
> > with the possibility of introducing a WPA-PSK key. So WEP and WPA
> > appear as complementary.
>
> They are not. It may be possible with some cards to do both WEP and WPA
> on the same SSID, but I don't know how the card would choose. I don't
> think there's any standard for it, in any case.
Actually, what happens here is that the pairwise key is TKIP or CCMP for
all WPA-capable stations, but the broadcast key is WEP. WEP-only
clients don't know (or have to) about the pairwise/multicast key
distinction.
So WEP-only clients can just keep doing what they always do and encrypt
_all_ outgoing traffic with the WEP key, regardless of the destination.
WPA-capable clients just encrypt multicast/broadcast packets with the
WEP key, but encrypt unicast packets using the TKIP/CCMP pairwise key
which only the AP can decrypt. (I don't know how it works when stations
want to talk directly to each other though.)
So you _can_ have WEP and WPA coexist on the same network, but you loose
any security for multicast or broadcast frames because they are always
encrypted with lowest-common-denomiator (WEP) and therefore are
insecure.
Dan
> > is there a "proper" basic (wep?) cryptographic setup to be used with
> > WPA? This is very confusing and the Hamlet manual does not help.
>
> Authentication, as in the frames sent just before association, must be
> set to open. WPA and WPA2 handle key exchange, ensuring the client is
> authorized, and setting up data frame encryption.
>
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
More information about the HostAP
mailing list