Thread: [Aironet] Re: Problem with Linux 2.4.18 and Cisco Aironet 340
Status: Inactive
Brought to you by:
breed
From: Jean T. <jt...@bo...> - 2002-04-26 22:06:53
|
On Fri, Apr 26, 2002 at 11:29:00PM +0200, Hadmut Danisch wrote: > Hi, > > I meanwhile did some experiments. > I'm using airo_cs, as it is contained in Linux 2.4.18, and > wireless tools 24. Good. But you forgot to refer to the Aironet mailing list. > - nomenclature is confusing: > > On the cisco configuration web page from my Aironet 340 > access point, there are three choices about the > required use of WEP by clients: "No Encryption", "Optional", > "Full Encryption". > > There are also three modes of authentication: "Open", "Shared", and > "Network-EAP". > > > In contrast to that, iwconfig uses "off", "on", "open", "restricted" > about the required use of WEP by peers, and doesn't have a switch > for choosing authentication. That's intentional. The Wireless Extension is not Aironet specific, and has only "basic" features that are easy for the user to grasp and relate to. There is only 3 level of security and are properly documented in the iwconfig man page (read it). o off -> no security o open -> some security o restricted -> most security It's up to the driver to map those 3 simple level to something meaningfull. It is my belief that the Aironet driver does it properly. I refuse to expose to the user an abstraction more complex than that, because : o it would confuse the user o it would be a pain to work across drivers. > Again, in contrast to iwconfig, the WEP: entry in > /proc/driver/aironet/eth0/Config supports the values > "shared" (i.e. everything starting with 's'), "encrypt" > (i.e. everything starting with "e") and "open" (i.e. everything > else), but I'm not sure about the meaning. This API is closer to the hardware, so should give you more control and should correspond to Cisco's way of dealing with security. Personally I've never managed to understand which option is more secure or less secure, but I believe that people familiar with Cisco equipement probable know what those mean. > If I do > echo "WEP: shared" >/proc/driver/aironet/eth0/Config > then iwconfig shows mode "restricted" > > > If I do > echo "WEP: encrypt" >/proc/driver/aironet/eth0/Config > then iwconfig show mode "open" > > If I do > echo "WEP: open" >/proc/driver/aironet/eth0/Config > then iwconfig shows key off. > > > There's definitely some confusion, this is really > error-prone. > > You should modify iwconfig and the devfs interface to > clearly distinguish between the accepted authentication mode, > the authentication mode used, and the accepted encryption mode. As I say, one of the strength of Wireless Extensions is its simplicity, and I'm not going to give up on that. > - My Notebook and my access point can communicate only if > I do > echo "WEP: open" >/proc/driver/aironet/eth0/Config > > on the Notebook and set the access point to "Optional". > But then, surprisingly, the notebook receives packets from > the access point, no matter what key I set on the access > point. Of course, it mean you are communication without encryption. If you can't communicate with encryption enable, it's probably a key mismatch. Also remember that keys have to be in the *same* slot (same index). I don't know enough about the Aironet hardware, so please use the mailing list (as I told you). > The Notebook shouldn't be able to receive anything > without knowledge of the key. According to the help page > of Cisco, "Optional" means only the kind of encryption > required by clients, but not the encryption used by the > access point. So the access point should send encrypted, > which it definitely doesn't do, otherwise the Notebook couldn't > receive. I guess that optional means optional. > regards > Hadmut Regards, Jean |
From: Hadmut D. <ha...@da...> - 2002-04-26 22:40:20
|
On Fri, Apr 26, 2002 at 03:06:52PM -0700, Jean Tourrilhes wrote: > > In contrast to that, iwconfig uses "off", "on", "open", "restricted" > > about the required use of WEP by peers, and doesn't have a switch > > for choosing authentication. > > That's intentional. The Wireless Extension is not Aironet > specific, and has only "basic" features that are easy for the user to > grasp and relate to. There is only 3 level of security and are > properly documented in the iwconfig man page (read it). > o off -> no security > o open -> some security > o restricted -> most security This might not work with every possible configuration of the access point. I'd prefer an interface which gives full control. > > You should modify iwconfig and the devfs interface to > > clearly distinguish between the accepted authentication mode, > > the authentication mode used, and the accepted encryption mode. > > As I say, one of the strength of Wireless Extensions is its > simplicity, and I'm not going to give up on that. I apologize, but from my point of view this is everything but simple. regards Hadmut |
From: Jean T. <jt...@bo...> - 2002-04-26 22:47:49
|
On Sat, Apr 27, 2002 at 12:39:52AM +0200, Hadmut Danisch wrote: > > This might not work with every possible configuration of the > access point. That would be a bug in the driver. The "restricted" setting on the card should always work with the most secure setting on the Access Point. If it doesn't, it's a BUG. > I'd prefer an interface which gives full control. That's why the driver offer an Aironet specific API. If you don't like Wireless Extensions, don't use it. > I apologize, but from my point of view this is > everything but simple. Try to configure a Lucent or 3Com XJack with your Aironet Access Point and you will understand what I'm talking about. You can also try to configure your Aironet card with a Lucent Access Point and you will come to the same conclusion. If you live in an Aironet only world, where other products don't exist, please use the ACU tool. > regards > Hadmut Regards, Jean |
From: Benjamin R. <br...@al...> - 2002-04-29 16:21:46
|
If you use the Cisco ACU you will find even more differences in terms and values. If you are a total Aironet shop use the ACU. If you want a common configuration for different brands of cards, use wireless extensions. If you want more access to aironet specific options, use the /proc interface. You can also use ioctls to directly access the card registers. ben Jean Tourrilhes wrote: > On Fri, Apr 26, 2002 at 11:29:00PM +0200, Hadmut Danisch wrote: > >>Hi, >> >>I meanwhile did some experiments. >>I'm using airo_cs, as it is contained in Linux 2.4.18, and >>wireless tools 24. >> > > Good. > But you forgot to refer to the Aironet mailing list. > > >>- nomenclature is confusing: >> >> On the cisco configuration web page from my Aironet 340 >> access point, there are three choices about the >> required use of WEP by clients: "No Encryption", "Optional", >> "Full Encryption". >> >> There are also three modes of authentication: "Open", "Shared", and >> "Network-EAP". >> >> >> In contrast to that, iwconfig uses "off", "on", "open", "restricted" >> about the required use of WEP by peers, and doesn't have a switch >> for choosing authentication. >> > > That's intentional. The Wireless Extension is not Aironet > specific, and has only "basic" features that are easy for the user to > grasp and relate to. There is only 3 level of security and are > properly documented in the iwconfig man page (read it). > o off -> no security > o open -> some security > o restricted -> most security > It's up to the driver to map those 3 simple level to something > meaningfull. It is my belief that the Aironet driver does it properly. > I refuse to expose to the user an abstraction more complex > than that, because : > o it would confuse the user > o it would be a pain to work across drivers. > > >> Again, in contrast to iwconfig, the WEP: entry in >> /proc/driver/aironet/eth0/Config supports the values >> "shared" (i.e. everything starting with 's'), "encrypt" >> (i.e. everything starting with "e") and "open" (i.e. everything >> else), but I'm not sure about the meaning. >> > > This API is closer to the hardware, so should give you more > control and should correspond to Cisco's way of dealing with > security. Personally I've never managed to understand which option is > more secure or less secure, but I believe that people familiar with > Cisco equipement probable know what those mean. > > >> If I do >> echo "WEP: shared" >/proc/driver/aironet/eth0/Config >> then iwconfig shows mode "restricted" >> >> >> If I do >> echo "WEP: encrypt" >/proc/driver/aironet/eth0/Config >> then iwconfig show mode "open" >> >> If I do >> echo "WEP: open" >/proc/driver/aironet/eth0/Config >> then iwconfig shows key off. >> >> >> There's definitely some confusion, this is really >> error-prone. >> >> You should modify iwconfig and the devfs interface to >> clearly distinguish between the accepted authentication mode, >> the authentication mode used, and the accepted encryption mode. >> > > As I say, one of the strength of Wireless Extensions is its > simplicity, and I'm not going to give up on that. > > >>- My Notebook and my access point can communicate only if >> I do >> echo "WEP: open" >/proc/driver/aironet/eth0/Config >> >> on the Notebook and set the access point to "Optional". >> But then, surprisingly, the notebook receives packets from >> the access point, no matter what key I set on the access >> point. >> > > Of course, it mean you are communication without encryption. > If you can't communicate with encryption enable, it's probably > a key mismatch. Also remember that keys have to be in the *same* slot > (same index). > I don't know enough about the Aironet hardware, so please use > the mailing list (as I told you). > > >>The Notebook shouldn't be able to receive anything >> without knowledge of the key. According to the help page >> of Cisco, "Optional" means only the kind of encryption >> required by clients, but not the encryption used by the >> access point. So the access point should send encrypted, >> which it definitely doesn't do, otherwise the Notebook couldn't >> receive. >> > > I guess that optional means optional. > > >>regards >>Hadmut >> > > Regards, > > Jean > _______________________________________________ > Aironet mailing list - Ai...@cs... > http://csl.cse.ucsc.edu/mailman/listinfo/aironet > |