Security issue with Password and 40 MHz Network

I have two issues.

  1. When I change the password on the router, other clients can still connect even though I haven't told them the new password. This is even true after a power cycle.

  2. I can not get the router to change 2.4 Ghz to 40 Mhz channel width. The GUI says it is set to 40 Mhz but the overview shows 20 Mhz for every device.

Edit: Password issue still a problem. Why can these devices still connect after I change the wifi password on router?

  1. The admin password on the router is not the wifi password, each one is changed on a separate page.
  2. Regulations require to switch to 20Mhz in case of a crowded environment (but it can be forced to 40MHz).
  • For your desired config to work, ALL SSIDs on the 2.4 GHz chip must be set to 40MHz wide, your wording implies you might have multiple SSIDs.
  • The WiFi pre-shared key is changed under the Wireless page, by editing the SSID in question, it's located on the same page as the channel width setting under "Wireless Security"

That doesn't answer why changing the wifi password doesn't stop client from connecting. Also, I tried 40 Mhz with only one client connected to it. It still says 20 Mhz. Are you saying LEDE is programmed to ignore my 40 Mhz setting if it detects a lot of networks in the area?

In relation to this you will find an option in here to override. Interestingly LEDE does not appear to document the option, perhaps for obvious reasons.

  1. looks like a user error. As eduperez said

The admin password on the router is not the wifi password, each one is changed on a separate page.

You can post a screenshot of your wifi page settings. You should change the password there. If you know how to access the router via ssh, you can post the output of

cat /etc/config/wireless

  1. You are not supposed to be able to force 40 mhz channel width. If there is any other 2.4ghz radio in range on the same channels all standard routers will fall back to 20mhz operation to mitigate airtime competition.

All routers should be programmed that way. That’s what the regulatory standard states should occur.

That still leaves the mystery of changing the wifi password not kicking clients off. Even after a power cycle, they still reconnect.

On the network -- wireless page, select your AP to edit then go to the bottom under wireless security and change it there. You can click the little green arrows thing to the right side of the password box to reveal what the password is.

Then of course click "save and apply."

Many 2.4 GHz clients such as Android phones operate only at 20 MHz channel width, even in "greenfield" conditions with a 40 MHz AP.

I did that.

No, I'm saying: if you have multiple 2.4 GHz SSIDs (WiFi networks) under "Wireless", ALL SSIDs on the router must be set to 40 MHz for the wide-band to activate:

You must also be on the proper wide-band channels for your Country setting.

Ensure the devices you're testing can use 40 MHz channels.

These devices can still connect when I change wifi password.

HostAPD does ignore the 40Mhz settings when there are other AP's that overlap with the chosen channels. So yeah the setting is ignored in such a case. It will be visible on the logs though.

Also note that this can be overriden but this is agains the standard.


Question 1:
Is this where you are changing the password: ---=--If it is then you are not doing it in the right spot


Router Password


If you are changing the password in Network > Wireless > Wireless Security You must press Save and apply. and if you think you did everything right reboot the router to make sure.


As for your other question As others have explained if " you have one device that tries to connect that is not capable of 40MHz all devices will revert to 20 MHz "


Also " If you have one device that has a crappy connection all devices will revert to 20 MHz "

Thanks for that. I was not considering the standard (aside from the country setting)...My SSID is in interference w/2 SSIDs using 40MHz...I believe they break the standard...I'll test that...


Sat Oct 21 08:14:18 2017 daemon.notice hostapd: 20/40 MHz operation not permitted on channel pri=3 sec=7 based on overlapping BSSes

(I also know why I rarely see 40 MHz channels in congested areas!)

Thanks again.

what do you mean by Pri=3, sec = 7?

Also, I think I figured out the 40 Mhz. I will have to test it to see if there is an OS interface bug I just found or something else. I will pick up working on the password on Monday. I did use the correct place to change the password so stop linking that over and over. My issue is that devices could still connect after the password change. I wonder if the wifi devices could still use the key handed out to them on the router after it rebooted and that key has to time out. I noticed devices that were off for hours could not reconnect. Only the devices actively on could reconnect even though I didn't tell them the new password.

Pri and sec are channel numbers. In the USA there are 11 allowed channels. But each channel is only 5 MHz wide, so a 20 MHz wifi-n signal spans over 4 channels and a 40 MHz one takes 8. Best practice is to divide the band into three blocks centered over channels 1, 6, and 11. Everyone should set their router to one of those three channels, avoiding neighbors as much as possible.

40 MHz operation is based on centering the extra 20 MHz at a secondary channel that is 4 channels away from the primary channel. Do not try 40 MHz unless there are no neighbors using the secondary band area. You're only going to jam each other and both will have better results using 20 MHz signals that do not overlap.

Keys don't work that way. When the router reboots, or even if you "save and apply" which restarts the wifi system, all clients have to reconnect from scratch and re-negotiate their keys.

Is there another AP in the area using the same SSID and the old key?

Post your /etc/config/wireless here (redact actual passwords, for your own safety) and let us have a look at it, please.

1 Like

I don't mean anything, as that was clearly my log showing a test that you cannot get 40 MHz on a congested channel - without attempting to disable a regulatory setting. See my full post and the quote.

(actually 13, but the last 2 have such different regulatory permissions, they're rarely implemented in devices without special applications - i.e. low-power, indoors)

Others have assisted you greatly with this WiFi password answer your question, it's technically impossible for the old clients to obtain the new key, unless you pre-shared it. If you are having issues understanding the LuCI GUI or hitting 'Save and Apply' from the browser, you may also wish to simply SSH into the router and edit the 'key' option manually at /etc/config/wireless

See: for instructions about the file.

Once you successfully edit the file and save/reboot, it should be technically impossible for the clients to reconnect without the new key.

This is the other possibility, make sure there's not another device using the same SSID and key.

Does the wireless interface menu show clients attempting to connect as well as those connected?