• State
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 11236 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Usage of proto, pairwise, and group in wpa_supplicant.conf

Brad Griffis
Guru*** 125430 points

This question relates to Wi-Fi certification.  In particular, a station is not allowed to connect to a pure TKIP AP.  There are also various settings of "mixed WPA/WPA2" and "WPA2".  We tried using the settings here:

http://processors.wiki.ti.com/index.php/OMAP_Wireless_Connectivity_NLCP_WLAN_Station_WPA_Supplicant_Configuration_file#Connect_to_secured_WiFi_network_.28WPA.29

Specifically we tried the configuration under "Connect to secured WiFi network (WPA)" and "Connect to secured WiFi network (WPA2)".  The problem is that we fail the "pure TKIP test" in those configurations.

I've been searching the web trying to better understand these fields.  It looks to me like group relates to multicast ciphers (e.g. TKIP or CCMP) and pairwise relates to unicast ciphers (e.g. TKIP or CCMP).  Is that correct?  That said, I think the pure WPA2 configuration should only be specifying group=CCMP and pairwise=CCMP.  Is that right?  For the "mixed" I'm not quite as sure, but I think it should be group=TKIP (or maybe group=TKIP CCMP?) and pairwise=CCMP.  Is that right?

I have not found an explanation of "proto" at all.  How is this used?  I've seen examples of it being set to "WPA" and other examples of it being set to "RSN".  What's the difference?

The ultimate goal here is:

  • What's the proper configuration for mixed mode WPA/WPA2 operation?
  • What's the proper configuration for pure WPA2 operation?

Both of these configurations must NOT connect to a "pure TKIP" AP.

  • 0
    TI__Guru* 85400 points
    Hi Brad,

    For mixed mode, you can try:

    network={
    ssid="AP_SSID"
    psk="PSK"
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP
    group=TKIP
    }

    "pure WPA2" -> I believe you mean AES-CCMP encryption?
    If so, you can try:

    network={
    ssid="AP_SSID"
    psk="psk"
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP
    group=CCMP
    }


    Regarding the meaning of parameters in the wpa_supplicant.conf file, please see below:

    pairwise
    List of acceptable pairwise (unicast) ciphers for WPA; one or
    more of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE
    802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE
    802.11i/D7.0), NONE (deprecated). If not set this defaults to
    "CCMP TKIP".

    group List of acceptable group (multicast) ciphers for WPA; one or more
    of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE
    802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE
    802.11i/D7.0), WEP104 (WEP with 104-bit key), WEP40 (WEP with
    40-bit key). If not set this defaults to "CCMP TKIP WEP104
    WEP40".

    proto List of acceptable protocols; one or more of: WPA (IEEE
    802.11i/D3.0) and RSN (IEEE 802.11i). WPA2 is another name for
    RSN. If not set this defaults to "WPA RSN".

    Regards,
    Gigi Joseph.
  • 0 in reply to Joseph Gigi
    TI__Guru*** 125430 points

    I still don't really understand the "proto" field.  The articles I've read sound as though RSN came along with 802.11i and WPA2. Will that work for mixed mode or do I need to use  "WPA RSN"?

  • 0 in reply to Brad Griffis
    TI__Prodigy 230 points

    Hi Brad,

    Starting from 1.1.2014 WFA published the allowed security modes in order to pass WiFi certification,

    Regarding the mixed mode configuration, the following should be used and pass the mixed mode tests:

    wpa_cli -iwlan0 add_network

    wpa_cli -iwlan0 set_network 0 auth_alg OPEN

    wpa_cli -iwlan0 set_network 0 key_mgmt WPA-PSK

    wpa_cli -iwlan0 set_network 0 psk '"12345678"'

    wpa_cli -iwlan0 set_network 0 pairwise CCMP TKIP

    wpa_cli -iwlan0 set_network 0 group CCMP TKIP

    wpa_cli -iwlan0 set_network 0 mode 0

    wpa_cli -iwlan0 set_network 0 ssid '"AndroidAP"'

    wpa_cli -iwlan0 select_network 0

    wpa_cli -iwlan0 enable_network 0

    Good luck,

    Shmulik

  • 0 in reply to Shmulik Elgavi
    TI__Guru*** 125430 points

    How should the "WPA only" case be handled?  Will your suggested configuration fail to connect to a WPA-only router (which is what we want), or do we need to have other "smarts" at the application level that will not even create a wpa_supplicant.conf if it sees a WPA-only router.  How does one even distinguish between a WPA-only router and a mixed mode router when you're trying to connect?