Cisco 350: WPA/PSK - how?

Hi Pete,

If you want to do WPA-PSK with the 350 client, you have to use the XP WPA-PSK supplicant and NOT the ACU supplicant. (ACU's supplicant doesn't include WPA-PSK support.)

More comments inline below.

~ I hope somebody can help. I am sure this is just "terminology". ~ ~ I have a couple of Draytek 2900 Gi routers with wifi, and have their ~ wifi setup for what Draytek call "WPA/PSK, encryption mode TKIP" and ~ one enters just a single passphrase. ~ ~ This works with various laptops e.g. Sony 505 (internal wifi) and a ~ few with the Linksys PCMCIA WPC54G wifi card whose config has a ~ "WPA/PSK" option too. ~ ~ Now I have the Cisco 350 series mini-PCI card (and also the PCMCIA ~ version of it) in a couple of laptops and the Cisco software (Aironet ~ Client Utility v6.4.05) and it uses different terminology and despite ~ trying different options I can't get it to work. ~ ~ Under the ACU Network Security tab, I see ~ ~ checkbox for WPA ~ ~ under it some options: ~ ~ None ~ LEAP ~ EAP-FAST ~ Host-based EAP (802.1x) ~ ~ Data Encryption ~ ~ None ~ Static WEP ~ ~ AP authentication ~ ~ Open ~ Shared Key ~ ~ Which options do I use to do simple WPA/PSK/TKIP?

None of the above.

~ I am aware that one has a choice of ~ ~ (1) using windows XP to configure the wireless network,

Yep.

or

~ ~ (2) using the ACU to do it ~ ~ BOTH work for unencrupted. ~ BOTH work for 64-bit WEP ~ Only (2) works for 128-bit WEP (no config in XP for this) ~ (2) doesn't appear to support WPA/PSK/TKIP

Correct.

~ (1) *should* support WPA/PSK/TKIP but it doesn't work

Don't know why it doesn't work - I've got it working. (Assuming that you have current XP - I'd recommend SP2

- and recent 350 Install Wizard code installed.)

~ Any pointers much appreciated!

Here's some info on how to configure an XP wireless client using WZC:

This is from the CB21AG docs rather than the 350 docs, but the WZC stuff is the same of course.

~ ~ Eventually I installed Netstumbler to see if I can find out more. I ~ found this: ~ ~ NS works only if I use (1) above. If I use (2) it never sees any ~ network! ~ ~ NS fails to auto-update its "encrypted" network labelling if I just ~ reconfigure the router from "open" to "WEP". One has to restart NS. ~ ~ But that's all I could establish.

Sorry, don't know anything about Netstumbler.

~ Is it just that I have an old wifi adapter?

Regardless of how old your 350 client, it will support WPA-PSK as long as you have it upgraded to current code (including the radio firmware ... needs to be at least

5.30.something I believe.)

~ Finally, can anyone suggest any advantages of using (1) over (2) or ~ vice versa? Both seem to work for open and wep-64 networks.

Assuming that both the WZC and ACU supplicants support the security scheme you want, it's really a matter of preference. On my 350, I use the ACU supplicant to handle LEAP at work (WZC doesn't support LEAP), while at home (where I use 128bit static WEP), I will use either WZC or ACU as the mood strikes me (both work fine.)

~ Neither appears to connect to a WEP network unless I set up a profile, ~ with the right SSID. However, the Linksys WPC54G PCMCIA card can do ~ that - it just prompts you for the WEP password.

Yeah, neither WZC nor ACU will prompt you for a WEP key on an SSID that you haven't configured, I'm pretty sure.

~ Am I missing something obvious here, or is this the way things really ~ are?

The "something obvious" is that the ACU supplicant doesn't do WPA-PSK.

Hope this helps,

Aaron

Aaron Leonard wrote

Thank you Aaron for your reply.

That much I figured.

I have XP Pro Tablet Edition, SP2 and all current microsoft updates.

What is the 350 wizard code? That is the only bit I can see that I haven't tried yet.

That's what I have done. It is simple enough really. I have done it the other day on a Sony 505 laptop, on Sony's own pcmcia wifi adaptor, just that way and it works perfectly, on Draytek 2900 and 2600 routers, on which a Linksys WPC54G also works with WPA/PSK.

My firmware (shown in the ACU under Status) is 5.60.08

How do you get 128-bit WEP in the *windows* config? The only option shown is "WEP". Does windows automatically determine the 64/128 level from the length of the key one enters?

There does appear to be a difference between the two: the ACU doesn't appear to be able to scan the site and display several networks like the Windows code can. As far as I can tell, the ACU just connects to the first network it finds. But then I haven't yet been in a multiple AP location.

Netstumbler

is a potentially objectionable utility which continually scans for APs. It is used by legitimate network engineers and security people to scan for unauthorised APs and security leaks, as well as hackers looking for free internet access. I got it because neither windows nor the ACU has the capability to quickly check whether an AP is up and running and in what mode. NS tells you in under a second. It also comes in a pocket/pc version (ministumbler) and there are other programs for pocket/pc which work on wm2003 PDAs e.g. wififofum, wifigraph. My use is entirely legitimate; if I was a hacker I wouldn't be using the Cisco 350; I would be using an adapter which can be put into a passive sniffing mode :) You can also look up airsnort :)

In the short term, I am going to solve this by purchasing a Cisco AP which supports one of the more esoteric WPA modes which the 350 adapter and the ACU do support...

Peter.

-- Return address is invalid to help stop junk mail. E-mail replies to snipped-for-privacy@peter2000XY.co.uk but remove the X and the Y. Please do NOT copy usenet posts to email - it is NOT necessary.

On Sat, 26 Mar 2005 07:22:48 +0000, Pete If you want to do WPA-PSK with the 350 client, you have to use ~ >the XP WPA-PSK supplicant and NOT the ACU supplicant. (ACU's ~ >supplicant doesn't include WPA-PSK support.) ~ ~ That much I figured. ~ ~ >Don't know why it doesn't work - I've got it working. ~ >(Assuming that you have current XP - I'd recommend SP2 ~ >- and recent 350 Install Wizard code installed.) ~ ~ I have XP Pro Tablet Edition, SP2 and all current microsoft updates. ~ ~ What is the 350 wizard code? That is the only bit I can see that I ~ haven't tried yet.

The "Install Wizard" is just the bundle that includes the

350 firmware, drivers, ACU, ACM etc for Windows. "IW 1.5" is the current version. You can get to it from follow the prompts. It contains: 2004-11. Cisco Aironet Client Adapter Installation Wizard version 1.5 - 802.11a/b Radio Firmware 5.60.08, Windows NDIS Driver 8.6/3.9, Aironet Client Utility (ACU) 6.4 Aironet Client Monitor (ACM) 2.4.

~ >Here's some info on how to configure an XP wireless client using ~ >WZC: ~ >

~

~ That's what I have done. It is simple enough really. I have done it ~ the other day on a Sony 505 laptop, on Sony's own pcmcia wifi adaptor, ~ just that way and it works perfectly, on Draytek 2900 and 2600 ~ routers, on which a Linksys WPC54G also works with WPA/PSK. ~ ~ >Regardless of how old your 350 client, it will support ~ >WPA-PSK as long as you have it upgraded to current code ~ >(including the radio firmware ... needs to be at least ~ >5.30.something I believe.) ~ ~ My firmware (shown in the ACU under Status) is 5.60.08

Then you should be good to go.

~ >Assuming that both the WZC and ACU supplicants support the ~ >security scheme you want, it's really a matter of preference. ~ >On my 350, I use the ACU supplicant to handle LEAP at work ~ >(WZC doesn't support LEAP), while at home (where I use 128bit ~ >static WEP), I will use either WZC or ACU as the mood strikes ~ >me (both work fine.) ~ ~ How do you get 128-bit WEP in the *windows* config? The only option ~ shown is "WEP". Does windows automatically determine the 64/128 level ~ from the length of the key one enters?

Yep, just enter your 26 hex digit WEP key and Windows should grok it.

~ There does appear to be a difference between the two: the ACU doesn't ~ appear to be able to scan the site and display several networks like ~ the Windows code can. As far as I can tell, the ACU just connects to ~ the first network it finds. But then I haven't yet been in a multiple ~ AP location.

ACU can see different SSIDs and BSSIDs and will connect to the "best" one based upon your configuration and the goodness of the APs. It doesn't give you a menu though.

~ Netstumbler

is a potentially ~ objectionable utility which continually scans for APs. It is used by ~ legitimate network engineers and security people to scan for ~ unauthorised APs and security leaks, as well as hackers looking for ~ free internet access. I got it because neither windows nor the ACU has ~ the capability to quickly check whether an AP is up and running and in ~ what mode. NS tells you in under a second. It also comes in a ~ pocket/pc version (ministumbler) and there are other programs for ~ pocket/pc which work on wm2003 PDAs e.g. wififofum, wifigraph. My use ~ is entirely legitimate; if I was a hacker I wouldn't be using the ~ Cisco 350; I would be using an adapter which can be put into a passive ~ sniffing mode :) You can also look up airsnort :) ~ ~ In the short term, I am going to solve this by purchasing a Cisco AP ~ which supports one of the more esoteric WPA modes which the 350 ~ adapter and the ACU do support... ~ ~ ~ Peter.

No argument there :-)

Aaron