Question about psk2 and CCMP configuration

piwacet · August 8, 2018, 5:16pm

Hi. Apologies if this has been answered, but I've not been able to find it.

For my home network, I see the current recommendation for wifi security is to only use WPA2-PSK, and to force CCMP (and I think use the AES encryption method - I think CCMP does this?). And to use a complex random password.

I configure my router/wifi AP via the command line. Would setting 'option' 'encryption' to 'psk2' be the correct setting for this? Looking at the WPA modes table in the wireless configuration guide it seems that there are 3 settings that I think do the same thing: 'psk2,' 'psk2+aes,' psk2+ccmp.' The table indicates these settings all use the WPA version WPA2 Personal (PSK), and the cipher is CCMP.

https://wiki.openwrt.org/doc/uci/wireless

ThanksI

h8red · August 8, 2018, 5:19pm

option encryption 'psk2+ccmp'
option wpa_disable_eapol_key_retries '1'
option key '0000000000000000'

tmomas · August 8, 2018, 6:05pm

New URL: https://openwrt.org/docs/guide-user/network/wifi/basic

(wiki.openwrt.org is for archival purposes only and does not receive any updates any more)

jeff · August 8, 2018, 6:21pm

Looking at the code in /lib/netifd/netifd-wireless.sh (Edit -- at least as of April, 2018)

        wpa_cipher=CCMP
        case "$encryption" in
                *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";;
                *aes|*ccmp) wpa_cipher="CCMP";;
                *tkip) wpa_cipher="TKIP";;
        esac

So, yes, aes and ccmp both end up specifying CCMP and the default, if none is given, is to use CCMP

Personally, I'd not rely on the default and explicitly specify the cipher.

piwacet · August 10, 2018, 6:20am

Thank you all! Really appreciate your help.

tmomas · February 11, 2019, 11:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.