[icebox-devel] Wireless Association Issues

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm new to the list, but was asked to post here by Daniel from ICE regarding
the issues i have been experiencing (and likely overcome) regarding wireless
association of my ICE router.

In short, I couldn't associate when using WEP, however had no issues when
using no encryption.

When I had a WEP key entered, the web GUI said that I was associated, and
could tell me the MAC address of my access point. L2 was all looking good.
However, I could not get any L3 connectivity happening and could not see an
association entry in my access point (DLink DI764).

After SSHing into the ICE router, I ran an iwconfig.

Output below:
~ # iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

ath0      IEEE 802.11g  ESSID:"myssid"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:00:00:00:00:00

          Bit Rate:11 Mb/s   Tx-Power:50 dBm   Sensitivity=0/3  
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:FFFF-FFFF-FFFF-FFFF-FFFF-FFFF-00   Security
mode:restricted
          Power Management:off
          Link Quality=0/94  Signal level=-83 dBm  Noise level=-95 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

From here I noted that the security mode is set to "restricted".

In restricted mode the client will only associate with APs that it can first
do shared key authentication with. If the AP is not configured to require
shared key authentication, association won't happen. 

My access point is configured for open authentication, based upon the
information available here:
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutio
ns_white_paper09186a008009c8b3.shtml

Note:  With open authentication, the use of WEP prevents the client from
sending data to and receiving data from the access point, unless the client
has the correct WEP key. With shared-key authentication, the access point
sends the client device a challenge text packet that the client must then
encrypt with the correct WEP key and return to the access point. If the
client has the wrong key or no key, authentication will fail and the client
will not be allowed to associate with the access point. Shared-key
authentication is not considered secure because a hacker who detects both
the clear text challenge and the same challenge encrypted with a WEP key can
decipher the WEP key. 

I have then set my ICE router to use the Open security mode to match my AP,
but this was unsuccessful too.

Upon changing the security mode of the access point to support shared mode
authentication, the connection was successfully achieved with encryption on
the link.

I'm unlikley to be the first or last person to experience this, and I
suggest that some further testing be done to ascertain whether Open
authentication can be reliably supported, or if this information should be
built into the support documentation for the ICE router firmware.

Sorry for the long post first up.

Cheers,

Craig Joyce 