Posted: Thu Dec 31, 2020 16:42 Post subject: FAQ/Guide for SHA256 / CCMP-256 and WPA3
I am currently using WPA2 CCMP-128 (AES) for wireless encryption. I have seen over time that additional security has been enabled for DD-WRT in general such as SHA256 and CCMP-256. I thought maybe I should be looking at using these instead but I cannot seem to find any guides or FAQs specific to this area. Am I just not finding them?
I'd also like to know specifically about using WPA2 SHA256 and CCMP-256 with WDS networks. Can the WDS network itself use this if the clients that connect to the STAs do not? What are the "rules" if you will?
Also, what is the current state of WPA3 with DD-WRT? It seemed that for a while it was mostly experimental but some time has passed.
Thanks, I didn't realize that WPA3 was still that limited. I did some research on some of my client adapters and sure enough, ther is no support for WPA3. So for now, I'm going to sort of just ignore WPA3.
As far as my clients, I have a pretty good mix of old and new including Linux, Windows, Android, iOT, Rokus etc. so this is likely a limiting factor. I don't use 5Ghz because range is an issue so my Wifi network is purely 2.4Ghz and set to 'N only' on all APs and stations (I have a total of 6 APs).
How does backward compatibility work with DD-WRT? So in other words if I enable WPA2 and WPA2 with SHA-256 as well as enable CCMP-128/CCMP-256/GCMP/GCMP-256 will the clients use the highest level they can and if not will fall back to a lower level?
I was reading somewhere that CCMP-256 and GCMP-256 were only used for a 802.11AC network however DD-WRT gives me these options to select. Is GCMP strictly for WPA3 only?
Hi all. Does anyone know how this works? I could test this myself if I could figure out a way to tell which level of WPA algorithm was being used. All I can tell is that it is using WPA2-PSK. Is there a way I can find out additional detail to see the WPA algorithm?
One other thing specific to DD-WRT, since both the WDS AP and the WDS Station are both running DD-WRT does this mean that the communication between them would be able to use CCMP-256 and the clients could use it if supported but if not supported fall-back to CCMP-128?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jan 13, 2021 13:54 Post subject:
Broadcom also seems to have it, I have it enabled on my R6400v1 and can connect with my phone (but the phone is using WPA2) I do not have any WPA3 clients to test
I bought a 2nd 7800 that I could use for testing (since my Archer C7 V4's chipset didn't support WPA3). I set up another WDS network between my R9000 and the R7800. WPA3 appears to be working as intended but as egc said, I have no compatible devices. It does allow me to use both authentication levels at the same time. It now reads: "Encryption - Interface ath1 Enabled, WPA2-PSK/WPA3-PSK" for both the WDS network and the VAP.
When WPA2-SHA256 is enabled it seems to show all interfaces as having encryption disabled. I am staying away from it for now leaving only WPA2 PSK and WPA3 PSK.
I still don't have any idea which WPA Algorithms are being used.. I assume having them all checked means they will all be supported and the clients will use the highest available.
From the main AP router (WDS AP) I view the STA interface and I see encryption disabled (STATUS/WIRELESS tab).
Encryption - Interface ath1.sta1Disabled
however ath1 is showing it as enabled
Encryption - Interface ath1 Enabled, WPA2-PSK/WPA3-PSK
Both routers are configured with WPA2 PSK + WPA3 PSK with all the same options enabled. The R7800 and R9000 are using the same firmware (R44715/R44719) and both routers support WPA3.
Shouldn't that .STA1 connection show encryption enabled? I guess it could just be a bug because when I log into the 2nd router (WDS Station) all of the wireless interfaces there show as encryption enabled.
And also would the connection between the 2 routers be using WPA3 now for that link between each other? Is there any way to tell which it is using? It just shows both are enabled and doesn't clarify in syslog either. Ty
Just an update to this "experiment"... Now that I have had these settings in place for several days I have noticed some client connectivity issues with several clients. The symptom was that they were unable to connect to the AP. I resolved them by removing the WPA3 option.. so it appears that enabling WPA3 along with WPA2 is problematic...I may do some more testing to see if it may have been one of the WPA Algorithms that was causing the issues and not actually WPA3 combined with WPA2 but I just wanted to get things working again.
R9000/R7800 R44715/R44719 std (11/03/20)
When WPA2-SHA256 is enabled it seems to show all interfaces as having encryption disabled. I am staying away from it for now leaving only WPA2 PSK and WPA3 PSK.
I noticed the same thing with WPA2-SHA256 but the clients still connected. Must be some kind of bug with encryption reporting?
Thanks, I didn't realize that WPA3 was still that limited. I did some research on some of my client adapters and sure enough, ther is no support for WPA3. So for now, I'm going to sort of just ignore WPA3.
As far as my clients, I have a pretty good mix of old and new including Linux, Windows, Android, iOT, Rokus etc. so this is likely a limiting factor. I don't use 5Ghz because range is an issue so my Wifi network is purely 2.4Ghz and set to 'N only' on all APs and stations (I have a total of 6 APs).
How does backward compatibility work with DD-WRT? So in other words if I enable WPA2 and WPA2 with SHA-256 as well as enable CCMP-128/CCMP-256/GCMP/GCMP-256 will the clients use the highest level they can and if not will fall back to a lower level?
I was reading somewhere that CCMP-256 and GCMP-256 were only used for a 802.11AC network however DD-WRT gives me these options to select. Is GCMP strictly for WPA3 only?