A quick reference for those who are totally confused...
To borrow the help text from the DD-WRT firmware help (edited somewhat for brevity; my comments appear within square brakcets):
WPA Pre-Shared Key [sometimes listed as WPA Personal]
TKIP stands for Temporal Key Integrity Protocol, which utilizes a
stronger encryption method than WEP, and incorporates Message
Integrity Code (MIC) to provide protection against packet tampering.
AES stands for Advanced Encryption System, which utilizes a
symmetric 128-Bit block data encryption and MIC. You should choose
AES if your wireless clients supports it. [The TKIP encryption is
attained using the RC4 stream cipher. MIC is used instead of CRC
(WEP utilizes CRC, and this is one of its weaknesses). AES was not
officially supported until WPA2, so there may be some issues with
routers purporting to support AES under WPA, particularly with older
firmware (pre-WPA2 support).]
WPA RADIUS [sometimes listed as WPA Enterprise]
WPA RADIUS uses an external RADIUS server to perform user
authentication. To use WPA RADIUS, enter the IP address of the
RADIUS server, the RADIUS Port (default is 1812) and the shared
secret from the RADIUS server. [Currently, XWLAN does not provide an
802.1X supplicant necessary to authenticate against a RADIUS server,
so avoid this setting for now.]
WPA2 Only
WPA2 uses 802.11i to provide additional security beyond what is
provided in WPA. AES is required under WPA2, and you may need
additional updates to your OS and/or wireless drivers for WPA2
support. Please note WPA2/TKIP is not a supported configuration.
Aditionally the WPA2 security mode is not supported under WDS. [WPA2
utilizes a 256-bit AES encryption scheme, via the Rijndael
algorythm. As is always the case with passphrases, the longer, the
better. While WPA2 encrypts the passphrase itself using PBKDF2 key
derivation, weak passphrases (dictionary words or short sequences)
can be cracked. The recommended minimum daily allowance ( ;-) ) is
at least five diceware words (see http://en.wikipedia.org/wiki/Diceware) or 14 random characters, with
tightest security achieved with eight diceware words or 22 random
characters.]
WPA2 Mixed
This mode allows for mixing WPA2 and WPA clients. If only some of
your clients support WPA2 mode, then you should choose WPA2 Mixed.
For maximum interoperability, you should choose WPA2 Mixed/TKIP+AES.
[This is good advice, if your router supports it and you are not
paranoid. ;-) Note that when you see entries for TKIP+AES, this
*doesn't* mean that AES works *without* TKIP *unless* you set this
option; instead, it implies that the AP will *accept* TKIP only, if
the client does not provide an AES-encrypted passphrase.]
RADIUS
RADIUS utilizes either a RADIUS server for authentication or WEP for
data encryption. To utilize RADIUS, enter the IP address of the
RADIUS server and its shared secret. Select the desired encryption
bit (64 or 128) for WEP and enter either a passphrase or a manual
WEP key. [Same notes apply here, as I mentioned above.]
WEP
There are two levels of WEP encryption, 64-bit (40-bit) and 128-bit
[104-bit]. To utilize WEP, select the desired encryption bit, and
enter a passphrase or up to four WEP key in hexadecimal format. If
you are using 64-bit (40-bit), then each key must consist of exactly
10 hexadecimal characters. For 128-bit, each key must consist of
exactly 26 hexadecimal characters. Valid hexadecimal characters are
"0"-"9" and "A"-"F". Check your wireless clients to see which
encryption level it supports.
Use of WEP is discouraged due to security weaknesses, and one of the
WPA modes should be used whenever possible. Only use WEP if you have
clients that can only support WEP (usually older, 802.11b-only clients).
[I highly recommend that you not go through the painful exercise of
configuring WEP keys. 128-bit...er...104-bit WEP can be cracked in
seconds with the right tools and enough traffic in the air, as
compared to the agony of manually entering keys. Also, do *not*
assume that if you enter a passphrase in your AP and allow it to
hash the keys for you that the same hash will result when you do the
same in a Wi-Fi client (some client software allows you to do this;
XWLAN does not - thankfully). Quite often, the hash is different
between manufacturers - or even firmware revs in the same unit,
resulting in even more lost time and frustration.]
I hope this helps clarify some of the newer technology we may now enjoy, thanks to the hard work of those few who do so much.
--
Lewis
------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Accountants / Network Consultants
New York / Northern Virginia www.2rosenthals.com
eComStation Consultants www.ecomstation.com
Novell Users Int'l www.novell.com/openenterpriseserver
Need a managed Wi-Fi hotspot? www.hautspot.com
------------------------------------------------------------
back to list