FAQ/Guide for SHA256 / CCMP-256 and WPA3

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Thu Dec 31, 2020 16:42    Post subject: FAQ/Guide for SHA256 / CCMP-256 and WPA3 Reply with quote
I am currently using WPA2 CCMP-128 (AES) for wireless encryption. I have seen over time that additional security has been enabled for DD-WRT in general such as SHA256 and CCMP-256. I thought maybe I should be looking at using these instead but I cannot seem to find any guides or FAQs specific to this area. Am I just not finding them?

I'd also like to know specifically about using WPA2 SHA256 and CCMP-256 with WDS networks. Can the WDS network itself use this if the clients that connect to the STAs do not? What are the "rules" if you will?

Also, what is the current state of WPA3 with DD-WRT? It seemed that for a while it was mostly experimental but some time has passed.

Thank you in advance
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Fri Jan 01, 2021 18:57    Post subject: Reply with quote
Atheros drivers have wpa3, but not Broadcom.
It all boils down to client compatibility.
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Fri Jan 01, 2021 23:26    Post subject: Reply with quote
Thanks, I didn't realize that WPA3 was still that limited. I did some research on some of my client adapters and sure enough, ther is no support for WPA3. So for now, I'm going to sort of just ignore WPA3.

As far as my clients, I have a pretty good mix of old and new including Linux, Windows, Android, iOT, Rokus etc. so this is likely a limiting factor. I don't use 5Ghz because range is an issue so my Wifi network is purely 2.4Ghz and set to 'N only' on all APs and stations (I have a total of 6 APs).

How does backward compatibility work with DD-WRT? So in other words if I enable WPA2 and WPA2 with SHA-256 as well as enable CCMP-128/CCMP-256/GCMP/GCMP-256 will the clients use the highest level they can and if not will fall back to a lower level?

I was reading somewhere that CCMP-256 and GCMP-256 were only used for a 802.11AC network however DD-WRT gives me these options to select. Is GCMP strictly for WPA3 only?

Info here is very limited https://wiki.dd-wrt.com/wiki/index.php/Wireless_security#AES-based_CCMP



encryption.png
 Description:
 Filesize:  38.53 KB
 Viewed:  6605 Time(s)

encryption.png


Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Fri Jan 08, 2021 23:07    Post subject: Reply with quote
Hi all. Does anyone know how this works? I could test this myself if I could figure out a way to tell which level of WPA algorithm was being used. All I can tell is that it is using WPA2-PSK. Is there a way I can find out additional detail to see the WPA algorithm?

One other thing specific to DD-WRT, since both the WDS AP and the WDS Station are both running DD-WRT does this mean that the communication between them would be able to use CCMP-256 and the clients could use it if supported but if not supported fall-back to CCMP-128?

Thank you
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jan 13, 2021 13:54    Post subject: Reply with quote
Broadcom also seems to have it, I have it enabled on my R6400v1 and can connect with my phone (but the phone is using WPA2) I do not have any WPA3 clients to test


Naamloos.png
 Description:
 Filesize:  76.83 KB
 Viewed:  6433 Time(s)

Naamloos.png



_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Sun Jan 31, 2021 5:05    Post subject: Reply with quote
R9000/R7800 R44715/R44719 std (11/03/20)

I bought a 2nd 7800 that I could use for testing (since my Archer C7 V4's chipset didn't support WPA3). I set up another WDS network between my R9000 and the R7800. WPA3 appears to be working as intended but as egc said, I have no compatible devices. It does allow me to use both authentication levels at the same time. It now reads: "Encryption - Interface ath1 Enabled, WPA2-PSK/WPA3-PSK" for both the WDS network and the VAP.

When WPA2-SHA256 is enabled it seems to show all interfaces as having encryption disabled. I am staying away from it for now leaving only WPA2 PSK and WPA3 PSK.

I still don't have any idea which WPA Algorithms are being used.. I assume having them all checked means they will all be supported and the clients will use the highest available.
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Tue Feb 02, 2021 23:49    Post subject: Reply with quote
From the main AP router (WDS AP) I view the STA interface and I see encryption disabled (STATUS/WIRELESS tab).

Encryption - Interface ath1.sta1 Disabled
however ath1 is showing it as enabled
Encryption - Interface ath1 Enabled, WPA2-PSK/WPA3-PSK

Both routers are configured with WPA2 PSK + WPA3 PSK with all the same options enabled. The R7800 and R9000 are using the same firmware (R44715/R44719) and both routers support WPA3.

Shouldn't that .STA1 connection show encryption enabled? I guess it could just be a bug because when I log into the 2nd router (WDS Station) all of the wireless interfaces there show as encryption enabled.

And also would the connection between the 2 routers be using WPA3 now for that link between each other? Is there any way to tell which it is using? It just shows both are enabled and doesn't clarify in syslog either. Ty
Laithan
DD-WRT User


Joined: 01 Sep 2018
Posts: 106

PostPosted: Sat Feb 06, 2021 1:56    Post subject: Reply with quote
Just an update to this "experiment"... Now that I have had these settings in place for several days I have noticed some client connectivity issues with several clients. The symptom was that they were unable to connect to the AP. I resolved them by removing the WPA3 option.. so it appears that enabling WPA3 along with WPA2 is problematic...I may do some more testing to see if it may have been one of the WPA Algorithms that was causing the issues and not actually WPA3 combined with WPA2 but I just wanted to get things working again.
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Tue Feb 23, 2021 22:35    Post subject: Reply with quote
Laithan wrote:
R9000/R7800 R44715/R44719 std (11/03/20)
When WPA2-SHA256 is enabled it seems to show all interfaces as having encryption disabled. I am staying away from it for now leaving only WPA2 PSK and WPA3 PSK.


I noticed the same thing with WPA2-SHA256 but the clients still connected. Must be some kind of bug with encryption reporting?
aewoo
DD-WRT Novice


Joined: 22 Apr 2022
Posts: 2

PostPosted: Mon Apr 25, 2022 18:04    Post subject: Reply with quote
Laithan wrote:
Thanks, I didn't realize that WPA3 was still that limited. I did some research on some of my client adapters and sure enough, ther is no support for WPA3. So for now, I'm going to sort of just ignore WPA3.

As far as my clients, I have a pretty good mix of old and new including Linux, Windows, Android, iOT, Rokus etc. so this is likely a limiting factor. I don't use 5Ghz because range is an issue so my Wifi network is purely 2.4Ghz and set to 'N only' on all APs and stations (I have a total of 6 APs).

How does backward compatibility work with DD-WRT? So in other words if I enable WPA2 and WPA2 with SHA-256 as well as enable CCMP-128/CCMP-256/GCMP/GCMP-256 will the clients use the highest level they can and if not will fall back to a lower level?

I was reading somewhere that CCMP-256 and GCMP-256 were only used for a 802.11AC network however DD-WRT gives me these options to select. Is GCMP strictly for WPA3 only?

Info here is very limited https://wiki.dd-wrt.com/wiki/index.php/Wireless_security#AES-based_CCMP


I am sorry, do you know the router model for the displayed screenshot in your message?
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Tue Apr 26, 2022 16:25    Post subject: Reply with quote
Laithan wrote:
R9000/R7800

R7800 and R9000 have the same 2.4 and 5 GHz radios, each QCA9984.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum