WAP54GP (POE VLAN AP)

#1 (**permalink**) 11-18-2006, 03:21 AM

Any users of the Linksys WAP54GP access point out there? The "P" stands for
"Power over Ethernet", but its most interesting feature is its ability to
handle a trunk line with multiple VLANs. I got several of those puppies
running with dual wireless VLANs, one totally open (no security) and the other
also ostensibly open but carrying 3rd-party (AirFortress) encryption. Despite
a rather kludgy setup process, it all worked with no problems.

But now I want to replace the AirFortress VLAN with a more conventional VLAN
using WPA2/AES. But that VLAN utterly fails to work: when a client computer
tries to connect, the RADIUS server (Windows 2003, IAS) never sees the
request. I was able to make it work, after a fashion, by turning off the VLAN
feature, but even that had sporadic failures. (My RADIUS configuration is OK;
if I substitute a WAP54GX access point, it works fine.)

I reported this problem to Linksys, who dismissed it with an offhand comment
that the firmware must have gotten corrupted when I applied the upgrade needed
for WPA2. Do it again, they said, and you should be OK. Today I went them one
better and applied the upgrade to a brand new router. My test results were
identical: it doesn't work. I'll write to Linksys again, but I think they're
in denial. Their own Q&A site has a similar report from last July, and the
user who submitted it doesn't seem to have gotten an answer either.

Has anyone here seen this problem? And (I hope) figured out what to do about
it? Or am I just out of luck - or missing something obvious?

BTW, another glitch in that model is that the WPA2 "shared secret" is limited
to 20 characters. Didn't someone in this very newsgroup recommend using at
least 22? Some APs, I believe, allow 63.

Bob

#2 (**permalink**) 11-18-2006, 05:03 AM

On Fri, 17 Nov 2006 23:21:21 -0500, Robert Coe <bob@1776.COM> wrote:

>BTW, another glitch in that model is that the WPA2 "shared secret" is limited
>to 20 characters. Didn't someone in this very newsgroup recommend using at
>least 22? Some APs, I believe, allow 63.

The allowed length can be anything from 8 to 63 ASCII characters. See
comments in:
| http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

The WAP54GP should not have passed Wi-Fi WPA certification if the key
length is limited to only 20 characters. It appears it passed WPA
certification (Certification ID W003486) but not WPA2. I can see why:
| http://certifications.wi-fi.org/wbcs...d_products.php

Sorry, no clue on the VLAN problem.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

#3 (**permalink**) 11-18-2006, 03:28 PM

On Sat, 18 Nov 2006 06:03:11 GMT, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<bp7tl21to1l8jip3q6spl8slhrfnevgglj@4ax.com>:

>On Fri, 17 Nov 2006 23:21:21 -0500, Robert Coe <bob@1776.COM> wrote:
>
>>BTW, another glitch in that model is that the WPA2 "shared secret" is limited
>>to 20 characters. Didn't someone in this very newsgroup recommend using at
>>least 22? Some APs, I believe, allow 63.
>
>The allowed length can be anything from 8 to 63 ASCII characters. See
>comments in:
>| http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

20 characters is sufficient for good security, especially if random
characters are used.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

#4 (**permalink**) 11-18-2006, 03:58 PM

John Navas <spamfilter0@navasgroup.com> hath wroth:

>On Sat, 18 Nov 2006 06:03:11 GMT, Jeff Liebermann
><jeffl@comix.santa-cruz.ca.us> wrote in
><bp7tl21to1l8jip3q6spl8slhrfnevgglj@4ax.com>:
>
>>On Fri, 17 Nov 2006 23:21:21 -0500, Robert Coe <bob@1776.COM> wrote:
>>
>>>BTW, another glitch in that model is that the WPA2 "shared secret" is limited
>>>to 20 characters. Didn't someone in this very newsgroup recommend using at
>>>least 22? Some APs, I believe, allow 63.

>>The allowed length can be anything from 8 to 63 ASCII characters. See
>>comments in:
>>| http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

>20 characters is sufficient for good security, especially if random
>characters are used.

Sure, but it doesn't meet the requirements for WPA or WPA2 Wi-Fi
certification. My guess(tm) is that Linksys ran out of available RAM
and had to cut corners. I'm also wondering how it will do WPA-RADIUS,
where the AP assigns a maximum length encryption key for each session.

Thou shalt not abrev. or trunc.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

#5 (**permalink**) 11-18-2006, 05:18 PM

On Sat, 18 Nov 2006 08:58:19 -0800, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<gmeul29j9ahj2klic0d8d68qpqtl29p38i@4ax.com>:

>John Navas <spamfilter0@navasgroup.com> hath wroth:
>
>>On Sat, 18 Nov 2006 06:03:11 GMT, Jeff Liebermann
>><jeffl@comix.santa-cruz.ca.us> wrote in
>><bp7tl21to1l8jip3q6spl8slhrfnevgglj@4ax.com>:
>>
>>>On Fri, 17 Nov 2006 23:21:21 -0500, Robert Coe <bob@1776.COM> wrote:
>>>
>>>>BTW, another glitch in that model is that the WPA2 "shared secret" is limited
>>>>to 20 characters. Didn't someone in this very newsgroup recommend using at
>>>>least 22? Some APs, I believe, allow 63.
>
>>>The allowed length can be anything from 8 to 63 ASCII characters. See
>>>comments in:
>>>| http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
>
>>20 characters is sufficient for good security, especially if random
>>characters are used.
>
>Sure, but it doesn't meet the requirements for WPA or WPA2 Wi-Fi
>certification. My guess(tm) is that Linksys ran out of available RAM
>and had to cut corners.

I suspect it's a different issue -- the difference is not enough RAM to
be significant.

>I'm also wondering how it will do WPA-RADIUS,
>where the AP assigns a maximum length encryption key for each session.

That's part of what makes me think it's a different issue, or perhaps
just some sort of misunderstanding.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

#6 (**permalink**) 11-18-2006, 06:45 PM

John Navas <spamfilter0@navasgroup.com> hath wroth:

>On Sat, 18 Nov 2006 08:58:19 -0800, Jeff Liebermann
><jeffl@comix.santa-cruz.ca.us> wrote in
><gmeul29j9ahj2klic0d8d68qpqtl29p38i@4ax.com>:
>
>>John Navas <spamfilter0@navasgroup.com> hath wroth:
>>
>>>On Sat, 18 Nov 2006 06:03:11 GMT, Jeff Liebermann
>>><jeffl@comix.santa-cruz.ca.us> wrote in
>>><bp7tl21to1l8jip3q6spl8slhrfnevgglj@4ax.com>:
>>>
>>>>On Fri, 17 Nov 2006 23:21:21 -0500, Robert Coe <bob@1776.COM> wrote:
>>>>
>>>>>BTW, another glitch in that model is that the WPA2 "shared secret" is limited
>>>>>to 20 characters. Didn't someone in this very newsgroup recommend using at
>>>>>least 22? Some APs, I believe, allow 63.
>>
>>>>The allowed length can be anything from 8 to 63 ASCII characters. See
>>>>comments in:
>>>>| http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
>>
>>>20 characters is sufficient for good security, especially if random
>>>characters are used.
>>
>>Sure, but it doesn't meet the requirements for WPA or WPA2 Wi-Fi
>>certification. My guess(tm) is that Linksys ran out of available RAM
>>and had to cut corners.
>
>I suspect it's a different issue -- the difference is not enough RAM to
>be significant.

Maybe. In WPA2-RADIUS, the encryption key is unique for each session.
Therefore, there has to be at least 64 bytes (hashed) per WPA key
times the number of connections (probably 128) or 8KBytes of storage.
That's not a huge amount, but still substantial considering most
current devices have about 16MBytes of RAM. For example, my home
WRT54GS v3.0 router shows 0.8MBytes available out of 16MBytes RAM with
I think 128 MaxConnections. I've seen it with less on a WRT54G v5
router. See my memory tables at:
https://home.LearnByDestroying.com:8080

>>I'm also wondering how it will do WPA-RADIUS,
>>where the AP assigns a maximum length encryption key for each session.
>
>That's part of what makes me think it's a different issue, or perhaps
>just some sort of misunderstanding.

Possibly. The obvious question is whether the WPA2 key is really
limited to 20 characters on the WAP54GP or whether there's some manner
of browser or internal web page issue. Dunno.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

#7 (**permalink**) 11-18-2006, 08:57 PM

On Sat, 18 Nov 2006 11:45:09 -0800, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<11oul21hdt374c4rk983241a0ngmkogv4s@4ax.com>:

>John Navas <spamfilter0@navasgroup.com> hath wroth:
>
>>On Sat, 18 Nov 2006 08:58:19 -0800, Jeff Liebermann
>><jeffl@comix.santa-cruz.ca.us> wrote in
>><gmeul29j9ahj2klic0d8d68qpqtl29p38i@4ax.com>:
>>
>>>John Navas <spamfilter0@navasgroup.com> hath wroth:

>>>>20 characters is sufficient for good security, especially if random
>>>>characters are used.
>>>
>>>Sure, but it doesn't meet the requirements for WPA or WPA2 Wi-Fi
>>>certification. My guess(tm) is that Linksys ran out of available RAM
>>>and had to cut corners.
>>
>>I suspect it's a different issue -- the difference is not enough RAM to
>>be significant.
>
>Maybe. In WPA2-RADIUS, the encryption key is unique for each session.
>Therefore, there has to be at least 64 bytes (hashed) per WPA key
>times the number of connections (probably 128) or 8KBytes of storage.
>That's not a huge amount, but still substantial considering most
>current devices have about 16MBytes of RAM. For example, my home
>WRT54GS v3.0 router shows 0.8MBytes available out of 16MBytes RAM with
>I think 128 MaxConnections. I've seen it with less on a WRT54G v5
>router. See my memory tables at:
> https://home.LearnByDestroying.com:8080

That would be pretty sloppy programming, since only the fixed size hash
need be saved, and I doubt that many connections are being fully
maintained in static memory any event.

>>>I'm also wondering how it will do WPA-RADIUS,
>>>where the AP assigns a maximum length encryption key for each session.
>>
>>That's part of what makes me think it's a different issue, or perhaps
>>just some sort of misunderstanding.
>
>Possibly. The obvious question is whether the WPA2 key is really
>limited to 20 characters on the WAP54GP or whether there's some manner
>of browser or internal web page issue. Dunno.

Yep.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>