How would you match up the seemingly different NAMES for security protocols between my PC and my wireless router?
I am hooking up my first wireless PC at home and I am confused about which matching settings to use on the wireless router and the wireless PC.
HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS: a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise, Radius, or WEP b. WPA Algorithms = AES, TKIP, or TKIP+AES
HERE ARE THE AVAILABLE WINDOWS WIRELESS PC OPTIONS: a. Network Authentication = Open, Shared, WPA, or WPA-PSK b. Data Encryption = AES, or TKIP
Given those choices, which would YOU choose for the router and for the PC?
I tried this settings but it didn't work: ROUTER = WPA2 Personal, TKIP PC = WPA-PSK, TKIP
And I tried this settings but it didn't work either: ROUTER = WPA Personal, AES PC = WPA-PSK, AES
Given what choices I have, what's the most secure WORKING combination I should use?
That article is old and from 2003. MS has since then added WPA2 support to XP. See:
However, I prefer TKIP because I've had some odd problems with AES. Most AES implimentations are in hardware. I keep blundering into a few odd "drivers" that have implimented AES encryption in software which slows things down considerably. At this time, a long (>20 char) pass phrase, with no dictionary words included, is quite safe with TKIP. However, if you have reasonably modern hardware, I wouldn't worry about it and stay with AES.
WPA2 with AES encryption is more secure from decryption than TKIP.
For the best currently available, you'll need a RADIUS server, which delivers user and session unique random WPA encryption keys. This eliminates the potential for leaking a shared key. Note that it's quite easy for an evil hacker (like me) to extract a shared key directly from your PC.
Oh my! And I live just north of Santa Cruz besides! I noticed that my router, a linksys wrt54g, has the capability of that thing which you call "radius".
How do I know if my Windows XP SP2 can support the radius method?
You have to match the router settings with your own computer network hardware settings. Does your wireless NIC support WPA2? You can only use the higher of the settings that both peices of hardware(router and NIC) support. In other words even though the router might support WPA2 + AES the wireless network card in your computer might only support WPA-PSK, etc. If your network card is much older it might only support WEP.
You probably already have this update. Download and install Belarc Advisor:
It will supply a list of updates, supplements, bug fixed, debris, junk, and other stuff that Microsoft installs. It's quite a list. It also marks what's missing and what failed to install. Also, a list of every piece of hardware, and every software package and version. Very handy.
Well, maybe you don't have the supplement installed. See:
Very different. You're also mixing a few things.
WPA is a temporary kludge thrown together by the Wi-Fi Alliance in an attempt to do damage control after the WEP fiasco. The encryption is TKIP/MIC/PPK/IV. The IEEE then adopted the standard as IEEE-802.11i also known as WPA2. They then threw in a mess of authentication protocols. AES/CCMP encryption was adopted for WPA2.
This might help fill in some of the details:
The bottom line is that they're similar in function, but quite different in implementation.
Ignoring authentication, the relevant combinations available in your Linksys WRT54G are: WPA-PSK or WPA-Personal WPA-RADIUS or WPA-Enterprise WPA2-PSK WPA2-RADIUS
You probably won't be using the RADIUS server versions unless you have an external RADIUS server to handle logins, passwords, and encryption keys. So, that leaves WPA-PSK (pre-shared key) and WPA2-PSK. Your choice.
Just to confuse things, the many router firmware implimentations have an automatic setting for WPA, where it will automagically select either TKIP or AES encryption, depending on the capeabilities of the client. It's usually called "WPA2-PSK Mixed" or "WPA-RADIUS Mixed". This way, you don't have to select one or the other. The router will work with any of the WPA or WPA2 mutations. You didn't specify your WRT54G hardware version or firmware version, so I can't check if yours offers this selection.
A RADIUS server would be nice, but overkill for the typical home user as it involves either a replacement router, or another box that's on
24 hours per day.
As for authentication protocols, that's usually handled by the client computah. See:
Oh my. I THOUGHT I had all the latest windows xp patches but I didn't have the Microsoft KB 893357 WPA2/WPA2-PSK additive patch you had suggested.
formatting link
This Microsoft KB893357 patch added TWO new options to my wireless zero control panel (WPA2, & WPA2-PSK) so now my options are more even.
HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS: a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise, Radius, or WEP b. WPA Algorithms = AES, TKIP, or TKIP+AES
HERE ARE THE NEWLY AVAILABLE WINDOWS WIRELESS PC OPTIONS: a. Network Authentication = Open, Shared, WPA, WPA-PSK, WPA2, or WPA2-PSK b. Data Encryption = AES, or TKIP
So I think I'll go with: ROUTER: WPA2 Personal WINDOWS: WPA2-PSK
The only problem left is that I'm assuming "WPA2 Personal" is the same as "WPA2-PSK". Is it?
In that article, it basically says "WPA2-Personal" uses "PSK" so now I
*finally* have a correlation on the router side with the PC side!
ROUTER = WPA2-Personal, TKIP + AES (which the article says also uses PSK) WINDOWS = WPA2-PSK, TKIP (with the patch listed in KB893357 & KB917021)
Finally, if you see this message, then I have a match between the 802.11g abbreviations used on the router side and the newly patched 802.11i abbreviations used on the Windows XP SP2 PC side!
May I ask why they all don't just use the same abbreviations?
The abbreviations are mostly the same, the main difference is that some vendors think "Personal" is a better word than PSK, or 'pre-shared key'.
As far as I know, there is no other official name for PSK than PSK. I've done some unsuccessful attempts to locate the origin of this "personal" terminology. Would appreciate it if anyone could provide some insight on this... I'd like to know who to blame :)
Personal and Enterprise are all over the Wi-Fi.org web site. For example, see:
Searching the web pile, PSK appears in one press release (probably an accident) and in the glossary, which points to WPA-Personal. I suspect (not sure) that they will not issue certification unless the product uses their terminology.
PSK and RADIUS are all over IEEE-802.11i-2004 which is the controlling document for WPA2.
My guess(tm) is that the Wi-Fi alliance is more consumer oriented than the acronym infested IEEE. I'm guilty of using them interchangeably, depending on whom I'm addressing.
Wow! Why didn't the world provide me this secret decoder ring *before* I confusified myself and everyone else! LOL!
Seriously, before you, I hadn't known that "Security Mode = WPA2 Personal" on my Cisco router is actually the same thing as "Network Authentication = WPA2-PSK" in my patched Windows XP PC. Am I the only one to not get with the program?
While this hidden 1:1 translation knowledge simplifies things greatly, I wonder aloud whether the same kind of inverted translational logic applies to the encryption algoritm too???
For example, I've set my corresponding router & windows settings to: a. ROUTER: WPA Algorithms = TKIP+AES b. WINXP: Data Encryption = TKIP
The convoluted reason I did this was that I was told TKIP is better but having TKIP plus AES "seemed" more secure to me. Am I ditzing out again?
Or should I have just chosen a router "wpa algorithm" of TKIP and a Windows XP "data encryption" of TKIP?
Does setting the router to "TKIP+AES" buy me anything over setting the router to just "TKIP"?
Oh yeah! I researched (as in searched again) the google 'pile' using the fact that I now knew the answer (that "PSK" is the same as "Personal") and now, indeed, I can see that the dummy and wikipedia guides (my first stop shopping) do say that "personal" is the *same* as "psk" (even though the p stands for something else entirely).
formatting link
"WPA Personal is equivalent to WPA-PSK, which is used by many wireless access points. WPA Enterprise requires that a RADIUS server be running on your network, something your home network is not likely to have."
formatting link
"Pre-shared key mode (PSK, also known as personal mode) is designed for home and small office networks"
If I would *hazard* a guess, I might infer that the friendlier-sounding "Personal" description arose for the Macintosh community while the acronym-lased "PSK" was relegated to the Windows clientelle based on some search results such as that at
formatting link
"WPA-PSK (Windows) and WPA-Personal (Mac) Encryption ... In this first section we look at WPA-PSK (Windows) Encryption ... Next Page: WPA-Personal (Mac) Encryption ..."
Does my guess pan out that "Personal" was originally styled for Macintosh computers while the more gruff acronym "PSK" was for Windows PCs?
Nope. Wi-Fi is platform agnostic. If anything, Unix and Linux would be the most favored operating system of the standards producers. I'm going to preserve my sanity and NOT lookup when the first mention of either term appeared. My foggy memory seems to recall that WPA-PSK was first used, which later mutated into WPA-Personal, as apparently required for router certification.
I first ran into the "personal" and "enterprise" terms while configuring my girlfriends new iBook a year ago. I had no idea what they really meant, and I had worked professionally with wireless networks for a few years... so no, you're not the only one.
I think a quick and dirty history lesson is in order... :)
First came 64 bits WEP, then 128 bits WEP, both of which were more than reasonably flawed. The chosen way of implementing WEP allowed an attacker to deduce the key after a certain amount of sniffed traffic.
To fix this, WPA emerged as an interim solution until the industry could agree on something better. That version was more or less WEP with dynamic keys and integrity checking. The protocol WPA uses for managing the dynamic keys is called TKIP.
Then came WPA2, or 802.11i, where the older RC4 encryption algorithm were replaced by AES. AES is widely regarded as stronger than RC4. WPA2 was designed to use 802.1x authentication (what is commonly called "Enterprise"; requires quite a bit more administration and an authentication server), and also the less secure PSK mode ("Personal", pre-shared key). TKIP is still supported, but AES does the same job better.
So in the end, if you are running a business and/or have a server that could be used for issuing 802.1x certificates and as a suitable authentication server (RADIUS, et al), I would recommend WPA2 with 802.1x (sometimes refered to as EAP).
And if you're in a regular home with no dedicated or suitable servers, go for the WPA2 with AES and PSK. No TKIP. Choose a long and complex (@¤!#", etc) key, put it on a memory stick and use copy and paste to configure every client computer.
Thanks to all of you, here is what I ended up with, after taking in all of the (sometimes conflicting) advice.
Wireless ROUTER is set to WPA2 Personal "Security Mode"
Wireless ROUTER is set to AES "WPA Algorithm"
WinXP PC is patched to Microsoft KB917021 level
Newly patched WinXP PC is set to WPA2-PSK "Network Authentication"
Newly patched WinXP PC is set to AES "Data Encryption"
Preselected key is set as "Four score & seven years ago"
ROUTER SSID is set to not broadcast (adds very minimal protection)
MAC Address Filtering is turned on (adds very minimal protection)
DHCP is set to allow only the number of available computers (useful?) Does setting the number of allowed DHCP clients equal to the number of available computers afford me any protection from intrusion?
That is, if I have three computers and I set the DHCP range from
192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by a fourth computer?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.