dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
123981
share rss forum feed


illJazz
Premium
join:2002-09-04
Zurich

1 edit

WPA2 AES or WPA2 AES + TKIP?

After some problems with my WRT54GS router, »Linksys WRT54GS stops working intermittently, I decided, after considering both DDR-WRT and HyperWRT Thibor, to load the latter onto my router and replace the stock firmware.

The firmware flash was fast and successful without any problems. Now I'm going through the router's setup pages settings things up. So I get to the wireless security tab.. and after having just looked at the following threads...

»What is better? WEP or WPA-PSK ?
»TKIP or AES?
»WPA TKIP or AES?
»WPA-EAP AES, Auto and TKIP
»difference between WPA AES and WPA2 AES
»Difference between WPA AES and WPA2
»WPA and WPA2

... I'm about to get a seizure. I haven't been this confused in a long time. My question is pretty simple, actually. I'm not even asking whether I should use WPA or WPA2. I already know I want to use WPA2, simply because it's the latest and greatest and well, why shouldn't I? I can't think of any advantage I would have in using WPA over WPA2, so there. Now, all I'd like to know is the difference between the two WPA2 modes: AES and TKIP+AES. Which one to use?

Oh yeah.. for the WPA Shared Key, what do you suggest I use? Just something I can remember easily or should I use something like this, »www.yellowpipe.com/yis/tools/WPA···ator.php, or this, »www.kurtm.net/wpa-pskgen/, to get myself a key generated?

I somehow have a feeling that all of this is so ridiculously OVERKILL that I want to cry. I highly doubt anybody is ever going to hack my network where just my buddy and I are connected to a router for purposes of sharing internet access.. oh well
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.

"Experience is a hard teacher because she gives the test first, the lesson afterwards."



- Vernon Saunders Law



illJazz
Premium
join:2002-09-04
Zurich

I just read the following as well, or parts of it:

»www.openxtra.co.uk/articles/wpa-···211i.php
»seclists.org/lists/firewall-wiza···140.html
»hardware.mcse.ms/archive80-2005-···837.html

I'm getting the idea that TKIP+AES is just a setting to allow for backwards compatibility with devices using TKIP, but that WAP2 mainly does use AES. Or maybe I'm all wrong, but I think the setting I should set on my router is WPA2 with AES, and not WPA2 with TKIP+AES.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



sded
Premium
join:2002-11-04
San Diego, CA

Right, depends on your NIC capabilites. I use WPA2 TKIP+AES because one of the computers (seldom used) doesn't support AES and I don't want to reset the router to use it.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

I have an Intel 2200BG wireless card. I figure it'll support AES.. or perhaps it doesn't? The other computer that needs to connect is a fairly new Apple Powerbook. Anyone know about AES support on those?

Also.. is there a good place on DSLR to ask about custom firmware functions? I have no idea what SSHD is and I'd love to know. Also, this custom firmware I just installed has a telnet daemon, which is very cool. I tested it out by "telnetting" the router's IP and I got in! I just don't know what exactly I can do with those commands, so that's what I'd like to learn more about. Then I wonder what effect it woudl have if I increaesd router power output, because this firmware allows me to control that too.. and what it would do if I messed with the RX and TX antennas? And so on
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



sded
Premium
join:2002-11-04
San Diego, CA

Card security support depends a bit on the firmware version. Set up the router to WPA2 TKIP+AES and see what you can select is the easiest way to tell. The dd-wrt wiki at »wrt-wiki.bsr-clan.de/index.php?t···ure_List has writeups on a lot of the common features with Tofu/Thibor that might be a good place to start. And the forums at »www.linksysinfo.org/ have lots of good information, and rapid access to Thibor and a lot of the power users for questions.



illJazz
Premium
join:2002-09-04
Zurich

said by sded:

Card security support depends a bit on the firmware version. Set up the router to WPA2 TKIP+AES and see what you can select is the easiest way to tell. The dd-wrt wiki at »wrt-wiki.bsr-clan.de/index.php?t···ure_List has writeups on a lot of the common features with Tofu/Thibor that might be a good place to start. And the forums at »www.linksysinfo.org/ have lots of good information, and rapid access to Thibor and a lot of the power users for questions.
Thanks for the link to the dd-wrt wiki. That really is one sweet resource even though I'm not using ddr-wrt. It really is LOADED with features. Very impressive. I don't think I need any of it though.. what HyperWRT Thibor gives me is already more than enough
And I know about linksysinfo.org. That's where I read about all the custom firmware options in the first place and then found my way around installing Thibor.

Thanks!

Ok, well I just set it to TKIP+AES to see what's available, and it looks like my card does support AES. Here's a screenshot:




But now Intel Smart Wireless is being stupid. See the second screenshot:




I put in the information, and I'm sure its correct, but that progress bar keeps filling up and starting over, (looping), and I get that message on the left with the OK button. When I click OK it reappears almost right away, so you actually have to time yourself right if you want to get rid of that message.. you have to click OK and then CANCEL right after really fast.. WTF?

Anyway.. is this "smart identification" feature of my WRT54GS still intact even after it is flashed with custom firmware? That's the question.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law


sded
Premium
join:2002-11-04
San Diego, CA

1 edit

Not sure what you are doing here-Is this screen from the SES wizard? (it is a Linksys screen, not Intel). I have not used SES; believe it only works with an SES NIC from Linksys. I use Windows WZC for the NIC (Intel 2100B), and set up security directly on the Linksys (using Tofu 13c on a G4). You need to add the WPA2 Microsoft upgrade if you haven't done so yet-see the security forum or Google it. I use dd-wrt mini on another wrt54g, and it is very comparable to Thibor in terms of features. There a a number of version, so you can select the features you need-obviously the mini version is the fastest.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

What's SES? And both screenshots show the Intel ProSet Wireless Connection utility that replaces Wireless Zero Config in Windows when used. It's a wireless connection manager from Intel for Intel cards. Intel and Linksys came up with "Intel Smart Wireless" protection or something.. the way it works is that you have an Ownership ID and a Device ID printed on the bottom of the router that the Intel utility asks for on connect. You type in the two 8-digit numbers and then it lets you go on. It's supposed to make sure you're not connecting to somebody else's router accidentally. And that's all great, except that the Intel ProSet application hangs on this step and makes the verification process loop! So my question is.. after flashing with HyperWRT Thibor, are the Ownership ID and Device ID still in tact for this to be able to work, or does that get erased or altered in some way?

This is a very specific question. I should probably ask over at linksysinfo.org.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



sded
Premium
join:2002-11-04
San Diego, CA

2 edits

Don't know how you got that screen-I have the standard Intel 2200BG Proset on another computer, and it has no Linksys specific knowledge as shown on yours. It is designed to connect to an AP without knowing details about it. Where did you get the integrated Intel/Linksys product? As far as Thibor is concerned, I don't see this info displayed, so can't tell whether it responds to an interrogation by the NIC or not. Asking a Linksys.org (or the HyperWRT forum at »www.hyperwrt.org/forum/) is a good idea, since Thibor can respond directly.



illJazz
Premium
join:2002-09-04
Zurich

said by sded:

Don't know how you got that screen-I have the standard Intel 2200BG Proset on another computer, and it has no Linksys specific knowledge as shown on yours. It is designed to connect to an AP without knowing details about it. Where did you get the integrated Intel/Linksys product? As far as Thibor is concerned, I don't see this info displayed, so can't tell whether it responds to an interrogation by the NIC or not. Asking a Linksys.org is a good idea, since Thibor can respond directly.
Well the router is a completely normal Linksys WRT54GS v2. See this for more info: »www.dailywireless.org/modules.ph···sid=2976
The feature is called "Intel Smart Wireless".
THAT's what's giving me trouble now. I can't connect to the damn router because the Intel ProSet Wireless software loops during authenticaion of this Smart Wireless thing.. gdamn!

I really need to post on linksysinfo.org. Thanks for all your help.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law


illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

Posted at linksysinfo.org: »www.linksysinfo.org/modules.php?···63#61263



Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
reply to illJazz

Just forget the intel smart wireless thing for a second.

What you want to do is set your AP up to support WPA-PSK TKIP+AES. TKIP+AES is probably the best choice, because not all wireless NICs support AES, some only support TKIP. I'm going to go ahead and assume that what it does is automatically default to the lowest one any device on your network can support.

Anyways, after you've done that, you need to create your Pre Shared Key. It should be at least 20 characters, with numbers, letters, and no dictionary words. Nice and strong.

After you've put that into the router's web-based GUI, restart it, and try to connect with your laptop. Most likely, you'll be prompted to enter the PSK (it might be termed password, or secret, or somesuch), and you'll be connected.

The reason the smart wireless, or whatever, isn't working is that the custom 3rd party firmware probably killed that "feature", if you can call it one. It must be little more than an intel SES client, which is definitely killed in most 3rd party firmwares. I don't remember whether it works in HyperWRT Thibor, but I know DD-WRT doesn't have it.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.



illJazz
Premium
join:2002-09-04
Zurich

said by Nerdtalker:

Just forget the intel smart wireless thing for a second.

What you want to do is set your AP up to support WPA-PSK TKIP+AES. TKIP+AES is probably the best choice, because not all wireless NICs support AES, some only support TKIP. I'm going to go ahead and assume that what it does is automatically default to the lowest one any device on your network can support.

Anyways, after you've done that, you need to create your Pre Shared Key. It should be at least 20 characters, with numbers, letters, and no dictionary words. Nice and strong.

After you've put that into the router's web-based GUI, restart it, and try to connect with your laptop. Most likely, you'll be prompted to enter the PSK (it might be termed password, or secret, or somesuch), and you'll be connected.

The reason the smart wireless, or whatever, isn't working is that the custom 3rd party firmware probably killed that "feature", if you can call it one. It must be little more than an intel SES client, which is definitely killed in most 3rd party firmwares. I don't remember whether it works in HyperWRT Thibor, but I know DD-WRT doesn't have it.
Great post, thanks! You know, it's funny you mention the idea that the 3rd party firmware may be the culprit with the Intel Smart Wireless thing. Why? Because I had the exact same thought earlier today! Check that thread at linksysinfo.org I linked to earlier, (my last post). It's got some more info in there too that may or may not be useful for anyone trying to help here

I've switched from Intel ProSet to the Windows wireless manager and I still could not connect. It would just forever authenticate, and I'm dead sure I used the right key. I currently have the router set to just AES, not TKIP+AES, because I'm sure my wireless hardware supports AES. Well, reasonably sure. That's because of the screenshot here. My buddy is now also able to connect without problems using his Powerbook. BTW, as for the key, I generated myself a monster key that looks something like this:

47sc#yF/Rb!7g18E5eRE4+Y-JYnnnCPqJ7I0\X9M--Se/as459H96q7ODt1#&Pg

63 characters total, using every imaginable character group. It probably has just about any sign in it that can be typed with a keyboard . Got it from here.

Anyway.. now the router isn't the issue anymore. Now it's my system.

I'm not sure what step to take next.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law


Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

Well, what you could always try is falling back to WPA, not WPA2. I had some massive issues with linksys gear that allegedly supported WPA2, and I only wanted to use WZC (Windows Zero Config), and couldn't even get the thing to work until I fell back to WPA-PSK AES. I spent a good hour or two tearing my hair out before I tried that.

Incidentally, it was with a WRT54GS running the Thibor firmware and the PCMCIA 802.11g card.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.



illJazz
Premium
join:2002-09-04
Zurich

said by Nerdtalker:

Well, what you could always try is falling back to WPA, not WPA2. I had some massive issues with linksys gear that allegedly supported WPA2, and I only wanted to use WZC (Windows Zero Config), and couldn't even get the thing to work until I fell back to WPA-PSK AES. I spent a good hour or two tearing my hair out before I tried that.

Incidentally, it was with a WRT54GS running the Thibor firmware and the PCMCIA 802.11g card.
WTF.. interesting! I will have to try that. Oops.. will have to give my buddy yet another key to use lol

Thanks for the tip. I would not have thought of that. I simply assume the Linksys gear has to work with it! Heh. You must admit, in theory, it should be safe to assume that
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law


Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

said by illJazz:

Thanks for the tip. I would not have thought of that. I simply assume the Linksys gear has to work with it! Heh. You must admit, in theory, it should be safe to assume that
Yeah, just give that a try. I don't know whether it was just a quirk or something with the drivers I had, or whether it was a bug in the firmware, but I could only deploy WPA at all with WPA in use.

There really isn't any real security benefit IMO to using WPA2 over WPA. Authentication is pretty rock solid with both, and AES is already enabled in both.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.


illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

OMFG I'm a dumbass. How could I forget this? Earlier today I read something about signal noise and that whole topic and as a result, switched my router to broadcast on channel 2 as opposed to the default: 11. I did not make the same change in the wireless adapter's settings thinking that the Intel ProSet software would automatically detect that and make the appropriate change, (which I think it would, if it actually worked!). The Windows utility cannot do that, I don't think. So that may be why it has not been working! But then again.. if the Windows utility can actually SEE the router and even let me attempt to connect to it, it must already know that it's on a different channel.. or not? I mean, can a device using channel 11, (my WNIC), see devices from other channels?

Ok, I'm a double dumbass. I just remembered Netstumbler. It shows devices broadcasting on ANY channel. Oy oy..
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

Ok.. well.. changing the WNIC's channel to 2 didn't do anything. It all just gets stuck at ACQUIRING NETWORK ADDRESS. Never goes past that

I guess trying WPA instead of WPA2 is the next step.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

BTW.. is this normal?




Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

You've pulled a private IP address, I assume that means it's working?

I'm not sure about the screenshot, but I think that stuff doesn't really matter in your scenario.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

I just tried WPA with the same 63 key I used for WPA2 earlier. It's working just fine with that exact setup for my buddy on his Powerbook. WPA is giving me the exact same problem as WPA2. I never get past ACQUIRING NETWORK ADDRESS. WTF? This is really frustrating. I mean.. it's not of crucial importance.. I'm hooked up using the ethernet cable, which is fine by me, but it's bothering the hell out of me that it just isn't working. It needs to work! Or I at least want to know exactly WHY it's not working. Like this, I'm just like.. HUH?
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

OK, it's definitely NOT the encryption method. Has nothing to do with it, in fact. I just tried connecting to an UNSECURED WIFI network elsewhere in my building, and I get the same problem. It gets stuck on ACQUIRING NETWORK ADDRESS. What the hell is going on?
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

Well, in that case, I'd recommend uninstalling and reinstalling your NIC drivers. The whole suite, including any supplicant bundled with the intel drivers.

The Intel 2200BG is supposed to be pretty good; it's a popular chipset. Try going back to the intel client after you do that too, ditch WZC.

I might also question using the LAN and Wireless NIC at the same time. After you've done that, see what happens if you disconnect the wired connection and use the wireless one.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

I must also mention that I'm running a custom WinXP installation, wich a bunch of Windows components that were removed. AND there are quite a few registry hacks in place. I can produce an exact and representative list of both here if it would help to see these things.
But yeah, it may be a good idea to start more or less from scratch here.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



sded
Premium
join:2002-11-04
San Diego, CA

Try connecting using a fixed IP address like 192.168.1.10, mask 255.255.255.0, gateway 192.168.1.1. Could your DHCP Client service be hosed?



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

Let me try that. Here's another odd thing.. I've been using ethernet ever since the problems started.. the funny thing is that my LAN icon in the system tray has been showing the ACQUIRING NETWORK ADDRESS for hours now.. yet I've been using the connection normally, and it's worked just fine! But that icon won't go away.. you know, with the little yellow ball going left and right. Hmmm. I'll try a static IP.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law



sded
Premium
join:2002-11-04
San Diego, CA

The spinning ball is the SP2 bug I mentioned before-go to "connect to/show all connections" on the start menu, and hit F5.



illJazz
Premium
join:2002-09-04
Zurich
reply to illJazz

I don't have "connect to/show all connections" anywhere on my Start Menu. :/



sded
Premium
join:2002-11-04
San Diego, CA

Right click tasbar, properties/start menu/customize/advanced will show a checkbox down the list for putting it on the start menu.



illJazz
Premium
join:2002-09-04
Zurich

said by sded:

Right click tasbar, properties/start menu/customize/advanced will show a checkbox down the list for putting it on the start menu.
If this is the list you're thinking of, here's all I got:



For the static IP.. I just give my WNIC a valid (within range) IP address, set the default gateway and the two DNS servers and hit ok, right? I don't have to change anything in the router's setup, right? Because if that's the case, I just did that and it's still just acquiring a network address.
--
Brutally honest--whenever possible. As a consequence what I say is IMHO, always.
"Experience is a hard teacher because she gives the test first, the lesson afterwards."

- Vernon Saunders Law