Wep Problem When WPS is active

Jouni Malinen j at w1.fi
Sun Sep 6 10:09:25 EDT 2009


On Tue, Sep 01, 2009 at 06:38:51PM +0300, Can ILHAN wrote:

> I am using hostapd-0.7.0_pre with WPS feature enabled and having a wep
> problem when a windows client tries to connect my AP.

Is that a recent snapshot of the hostapd development branch or something
potentially older?

> Windows client (this happens with my 2 client [namely intel 2200 and atheros
> chipset one] on both XP and Vista) thinks that wep configured AP may have a
> EAP server running and sends a EAPOL-start packet in case its behind a
> 802.1x radius server. Since AP is configured to reply an EAPOL packet (for
> WPS operation), it replies the message (as a possible WPS request) and
> client asks for a certificate. AP probably doesnt understand this request
> and stops replying. On the other side, client waits for a certificate reply
> till the user cancel the connection.

This is a known issue with the way Microsoft tries to probe network
capabilities automatically. Unfortunately, it does not work very well
with WPS.

> This can be resolved by disabling 802.1x authentication support (with smart
> card or other Certificate option) from window's wireless zero config.
> However, I would like to make it work for any windows client w/o changing
> that option (which is probably set by windows automatically when it sees a
> registrar AP).

I did add a partial workaround for this in March:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=143a4bf632e79d7adbe97f23e1b02e9c1d1a5cee

However, it looks like Microsoft implementations (at least Windows XP
SP3) do not really follow the documented behavior correctly and it is
still failing to do auto detection correctly. Anyway, it makes it
somewhere clearer to the user that something is not going correctly and
might even work with some Windows versions.

There is not really much else that can be done to work around this
unless you are willing to replace all the client devices with something
that handles WPS networks with WEP more gracefully. Or better yet, get
rid of that WEP configuration in the first place; as far as security is
concerned, it is about as good as leaving the network open anyway.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list