Showing results for 
Search instead for 
Do you mean 
Reply
MarkKnecht
Posts: 6
Registered: ‎12-18-2008

WRT54G+3 WAP54G's - how do I set up WPA2?

I've got 4 of these Linksys products - 1 router and 3 access points. I was running WEP for a couple of years. ESSID was not broadcast. the network worked OK but recently I have suspicions that someone hacked in. My internal are mostly Linux machines with software watching the network so I get indications of new machines hooking up, etc. Anyway, I wanted to explore switching to WPA or WPA2. Is it actually possible to do this in a secure manner? The hardware are Version 3 for the router and 3.1 for the access points. All have up-to-date firmware.

 

I managed to get WPA-Personal to sort of work if I let the router broadcast the ESSID. In the access point under AP Mode I chose AP Client and searched for the ESSID. The AP then asked me to input the preshared key. I did this and was connected. However when I disable transmission of the ESSID on the router none of the access points connect. When I reenable ESSID broadcast I can once again connect.

 

I had no major problems with the basic hardware for the last couple of years but if WEP isn't safe anymore then I need to get some form of WPA working.

 

If there are good instructions for doing this somewhere on the site that I can be pointed at please do. I'm technically literate and don't mind doing the work.

 

Thanks,

Mark

toomanydonuts
Posts: 6,365
Registered: ‎09-16-2006

Re: WRT54G+3 WAP54G's - how do I set up WPA2?

It sounds like you already had WPA working fine, just leave "SSID broadcast" set to enabled. 

 

For security reasons, I used to recommend setting "SSID broadcast" to "disabled", but with newer cracking methods, this old trick is practically worthless.   So now I recommend leaving SSID broadcast set to enabled. When you use WPA or WPA2, your security comes from your encryption method, and from using a strong password.  Not from trying to hide your SSID.  Who cares if somebody can see your SSID?  If they cannot guess your password, they cannot login to your network.

 

Here are all my tips for setting up wireless security:

 

To set up wireless security, you must use a computer that is wired to the router.

Where to find the router settings: The router's login password is usually on one of the "Administration" pages. The other settings are all found in the "Wireless" section of the router's setup pages, located at 192.168.1.1

First, give your router a unique SSID. Don't use "linksys".
Make sure "SSID Broadcast" is set to "enabled".

Next, leave the router at its default wireless settings (except for the unique SSID), and then use your pc to connect wirelessly to the router. Test your wireless Internet connection and make sure it is working correctly. You must have a properly working wireless connection before setting up wireless security.

To implement wireless security, you need to do one step at a time, then verify that you can still connect your wireless computer to the router.

Next, encrypt your wireless system using the highest level of encryption that all of your wireless devices will support. Common encryption methods are:

WEP - poor (see note below)
WPA (sometimes called PSK, or WPA with TKIP) - good
WPA2 (sometimes called PSK2, or WPA with AES) - best

WPA and WPA2 sometimes come in versions of "personal" and "enterprise". Most home users should use "personal". Also, if you have a choice between AES and TKIP, and your wireless equipment is capable of both, choose AES. With any encryption method, you will need to supply a key (sometimes called a "password" ).

The wireless devices (computers, printers, etc.) that you have will need to be set up with the SSID, encryption method, and key that matches what you entered in the router.

Retest your system and verify that your wireless Internet connection is still working correctly.

And don't forget to give your router a new login password.

Picking Passwords (keys): You should never use a dictionary word as a password. If you use a dictionary word as a password, even WPA2 can be cracked in a few minutes. When you pick your login password and encryption key (or password or passphrase) you should use a random combination of capital letters, small letters, and numbers, but no spaces. A login password, should be 12 characters or more. WPA and WPA2 passwords should be at least 24 characters. Note: Your key, password, or passphrase must not have any spaces in it.

Most home users should have their routers set so that "remote management" of the router is disabled. If you must have this option enabled, then your login password must be increased to a minumum of 24 random characters.

One additional issue is that Windows XP requires SP3 to run WPA2.


Note:
WEP is no longer recommended. The FBI has demonstrated that WEP can be cracked in just a few minutes using software tools that are readily available over the Internet. Even a long random character password will not protect you with WEP. You should be using WPA or preferably WPA2 encryption.

 

 

 

 

MarkKnecht
Posts: 6
Registered: ‎12-18-2008

Re: WRT54G+3 WAP54G's - how do I set up WPA2?

toomanydonuts,

Thanks for the clearly written and informative response. I think it sets me up to be more confident and successful. I apprecaite your response.

I do have a few questions:

1) If we're going to broadcast the ESSID then why bother changing it from linksys to something unique? I do change the name but I was only turning it off to keep it secret. If it's not secret then why does the name make any difference?

2) In terms of reliability and/or security am I helped or harmed in any way by changing the rates supported to G-Only and changing the channel to something other than 6? I'm not bothered if it makes attaching wireless PCs more difficult. I'm looking for the most secure setup with the LinkSys routers and WAPs.

OK, now for the problems I'm having with implementation. Again, this is a WRT54G Ver. 3 router with WAP54G Ver. 3 Access Points.

 

1) Currently I have the router set to WPA2-Personal. I've set the WPAalgorithms to TKIP+AES. I tried setting it to AES only but was unable to get any of the access points to connect when I did that.

 

2) In the Access Points I've selected the AP Client mode as opposed to 'Access Point'. Mostly this is because of having the ESSID turned off and needing the AP Client 'Site Survey' to find the ESSID. Is there any security difference between AP and AP Client forequivalent security settings?

 

3) Is there a good site you know of for testing password strength WRT these technologies?

 

3) Most troubling, once the WAP54G sees the router it asks me to type in the WPA pre-shared key. I do this using AES and can connect, but when I look at the security settings in the Access Point it's been changed to WP-Personal, not WPA2-Personal. If I try to change it to WPA2-Personal I'm unable to connect.

 

Now, none of that is new to me. When I opened up this thread I was already doing WPA-Personal with either WPA-Persoanl or WPA2-Personal on the router. The issue I think I'm seeing is I cannot get the Access Points to say they are doing WPA2.

 

Can these Access Points actually do WPA2-Personal?

 

Again, your response was VERY enlightening and educated me on some of the differences andimportant aspects of the specs. Note that I don't use Windows much here and don't care greatly about connecting wireless devices right now. However my wife does have an iPod Touch that likely she'll want to connect on of these days so maybe I should consider what capailities it has.

 

Cheers,

Mark

toomanydonuts
Posts: 6,365
Registered: ‎09-16-2006

Re: WRT54G+3 WAP54G's - how do I set up WPA2?

[ Edited ]

1)  The reason to use a unique SSID is so that when your neighbor buys a linksys router (and leaves his SSID set to "linksys" ), that your computer can still easily tell which router it should be trying to connect to.  The WPA2 and WPA handshake process takes some time.  You do not want to waste time trying to login to your neighbor's router.

 

2)  Changeing to "G-only" simply allows your router to ignore any B signals in your area.  There is no improvement in security, but in theory, there might be a small improvement in data throughput.  Note however that occasionally users report that their g adapters seem to work better with a router setting of "mixed" rather than "g-only".  So test your system with both "g-only" and "mixed".  If "g-only" is better, or the same, then choose "g-only".  If "g-only" is worse, then use "mixed".

 

Changing the channel from 6 is usually a good idea because most routers, in their default setting, use channel 6.  I usually use channel 1 or 11.  There is no security benefit.  Channel 1 and 11 are usually just less crowded, so you are less likely to have interference from neighbors. 

 

1)  Please note the following:

 

WPA   =  WPA with TKIP  =  PSK

WPA2  =  WPA with AES  =  PSK2

 

When you choose WPA2 with "TKIP+AES" you are actually telling the router to allow connections using WPA (= WPA + TKIP) or WPA2 (= WPA + AES).  This mode allows users who are in transition from WPA to WPA2 to transition smoothly.  Their older devices can use WPA, while their newer devices can use WPA2.

 

If you want to use WPA2 alone, then choose WPA with AES (or WPA2 with AES, which is redundant, since WPA2 always uses AES).

 

Note that if you use Windows XP, you need to have SP3 to use WPA2.

Vista (with or without any service packs) can do WPA2.

 

 

2)  You security comes from using WPA2 or WPA, and a strong password.  It seems that you should be using your WAPs as access points.

 

3)  Passord strength does not need to be measured.   You simply need to use a password with predictable strength.

 

Picking Passwords (keys): You should never use a dictionary word as a password. If you use a dictionary word as a password, even WPA2 can be cracked in a few minutes. When you pick your login password and encryption key (or password or passphrase) you should use a random combination of capital letters, small letters, and numbers, but no spaces. A login password, should be 12 characters or more. WPA and WPA2 passwords should be at least 24 characters. Note: Your key, password, or passphrase must not have any spaces in it.

Most home users should have their routers set so that "remote management" of the router is disabled. If you must have this option enabled, then your login password must be increased to a minumum of 24 random characters.

 

4)  From the documentation, your WAP54Gs should be able to be set to WPA2 only.  Use WPA2-personal, with AES.  Of course, to do WPA2 only, all your wireless devices will need to be able to do WPA2.  Can your iPod Touch do WPA2?  If not, you may need to stay with WPA2 with TKIP+AES, thereby allowing both WPA and WPA2 devices to connect.

Message Edited by toomanydonuts on 12-21-2008 03:12 AM
MarkKnecht
Posts: 6
Registered: ‎12-18-2008

Re: WRT54G+3 WAP54G's - how do I set up WPA2?

Well, after working with this again today the best I can do so far is set the router to  WPA2-Personal [TKIP+AES] and then on the AP I have to use the AP Client Mode, let the router search for the network, and when asked to supply the WPA pre-shared key I select AES and type in the key. At that point I can finish configuration and connect.

 

If I set the router to WPA2-Personal [AES Only] I cannot get the Access Points to connect at all.

 

If I set the Access Points to Access Point mode (instead of AP Client mode) and then supply all the data by hand the Access Point never connects.

 

So, from all of this is seems that LinkSys either didn't do enough testing or something about my router and Access Points is crazy, but I've got 3 Access Points and they all act the same way so I don't believe it's a hardware failure.

 

I guess my security risk, if I understand all the great info you've given me, is that I'm probably running WPA2 since I connected with AES. However my router is open to someone hacking onto the network using TKIP as I had to turn that on to get the network to work at all.

 

Of course the whole thing could be bogus. There's no easy way for me to tell if the system is actually running WPA2.It could be running WEP and putting the wrong info on all my screens for all I know! ;-) 

 

Thanks again for the great info!

 

Cheers,

Mark

toomanydonuts
Posts: 6,365
Registered: ‎09-16-2006

Re: WRT54G+3 WAP54G's - how do I set up WPA2?

As long as all your computers are using WPA2 with AES, you have not compromised your network by allowing TKIP.  The risk of TKIP, which is small, only occurs if you actually use it, and your wireless transmissions are recorded and analysed to try to determine your password.

 

No one is going to spend the time and effort it would take to try to hack a 24 character random WPA or WPA2 password, just to get into your home router.

 

Anyone with this much encryption cracking power is looking for a bigger target, such as a bank, retailer, stock broker, etc.