wpa_supplicant fails and reports weird AP address in association

Dan Williams dcbw
Mon Dec 18 11:40:20 PST 2006


On Mon, 2006-12-18 at 14:18 -0500, Bryan Kadzban wrote:
> Sergio Callegari wrote:
> > on the linksys I chose /either/ no security /or/ wep /or/ wpa. In 
> > other terms, WEP and WPA appear as alternatives.
> 
> They are.
> 
> > On the Hamlet box I have a two step setup.  First I chose whether to 
> > have basic cryptography or not (and this can be "open", "shared" or 
> > "both, with the possibility of setting a WEP key)...
> 
> Well... not exactly.
> 
> Open and shared refer to the 802.11 authentication, which happens just
> before association.  The "normal" WPA or WPA2 authentication, OTOH,
> happens after association.  Basically, never use shared authentication.
> 
> (Shared requires a WEP key.  It also informs everyone sniffing your
> association frames of that WEP key; it's *extremely* insecure.  I don't
> know how "both" would work, but AFAIK, WPA and WPA2 both require open.)
> 
> The open/shared choice should only be made if you configure the AP for
> WEP.
> 
> > then on another setup stage I chose whether to have WPA-PSK or not, 
> > with the possibility of introducing a WPA-PSK key. So WEP and WPA 
> > appear as complementary.
> 
> They are not.  It may be possible with some cards to do both WEP and WPA
> on the same SSID, but I don't know how the card would choose.  I don't
> think there's any standard for it, in any case.

Actually, what happens here is that the pairwise key is TKIP or CCMP for
all WPA-capable stations, but the broadcast key is WEP.  WEP-only
clients don't know (or have to) about the pairwise/multicast key
distinction.

So WEP-only clients can just keep doing what they always do and encrypt
_all_ outgoing traffic with the WEP key, regardless of the destination.
WPA-capable clients just encrypt multicast/broadcast packets with the
WEP key, but encrypt unicast packets using the TKIP/CCMP pairwise key
which only the AP can decrypt.  (I don't know how it works when stations
want to talk directly to each other though.)

So you _can_ have WEP and WPA coexist on the same network, but you loose
any security for multicast or broadcast frames because they are always
encrypted with lowest-common-denomiator (WEP) and therefore are
insecure.

Dan

> > is there a "proper" basic (wep?) cryptographic setup to be used with 
> > WPA?  This is very confusing and the Hamlet manual does not help.
> 
> Authentication, as in the frames sent just before association, must be
> set to open.  WPA and WPA2 handle key exchange, ensuring the client is
> authorized, and setting up data frame encryption.
> 
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap





More information about the Hostap mailing list