We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Wireless Bridge Supporing WPA2-AES

Geoff Millikan
on
Medium Priority
1,531 Views
Last Modified: 2013-12-21
I'm looking for an wireless Access Point and Bridge that can connect to each other via WPA2-AES for less than $500 USD (for both devices).

Despite the documentation, the Linksys/Cisco WAP54G (v3.1) only works in WPA2-TKIP mode.
Comment
Watch Question

If you only need a pair of wireless bridges which connect to each other, why do you want WAP2-AES? worry about security? WAP2-TKIP is secure enough. Anyway, I do not know anybody ever break it. To improve security, you can use EAP.

Author

Commented:
TKIP is not secure enough for what we are doing.  We want WPA2-AES.  

Can anyone help us?

http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
TKIP is vulnerable to a keystream recovery attack that, if successfully executed, permits an attacker to transmit 7-15 packets of the attacker's choice on the network. The current publicly available TKIP-specific attacks do not reveal the Pairwise Master Key or the Pairwise Temporal Keys.

http://en.wikipedia.org/wiki/CCMP
CCMP is a mandatory part of the WPA2 protocol and an optional part of the WPA protocol, is an IEEE 802.11i encryption protocol created to replace both TKIP, the mandatory protocol in WPA, and the earlier, insecure WEP protocol.[1] CCMP is a required option for Robust Security Network (RSN) Compliant networks.  CCMP uses the Advanced Encryption Standard (AES) algorithm. Unlike in TKIP, key management and message integrity is handled by a single component built around AES using a 128-bit key and a 128-bit block.
If you are so sensitive on security, why do you just want to spend $500 on devices.

Author

Commented:
Does a bear poop in the woods?  

Ok, $1000.  
The article mentions countermeasures, which just need to change the rekey interval. By the way, you can conside to setup site-site VPN tunnel to increase security. I am Cisco guy. I do not know wireless from other vendors. if you do not mind, you can get devices from ebay, which will fit your budget.

Author

Commented:
Thanks!  And may I ask what the name of the hardware is that supports WPA2-AES between an wireless AP and a wireless bridge?  (Site-to-site VPN is not a good option for what we're doing.)
Cisco AIR-AP1131AG-A-K9 supports WPA2 and wireless bridge. Look at below.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml

Author

Commented:
So are you sure that the Cisco AIR-AP1131AG-A-K9 actually supports WPA2 in bridge mode? The reason I ask is because the similar specs on the Cisco (Linksys) WAP54G say on page 16 of 45 that it supports WPA2 but it actually doesn't in bridge mode (only as an AP).

Also, the best price I could find on two of these these was $962.50 which isn't cheap.  I was hoping for a Netgear/Linksys/DLINK solution which should be easily in the sub-$500 range.

http://downloads.linksysbycisco.com/downloads/WAP54G_V30_UG_A-WEB.pdf
"Security Mode: Select the security method you want to use, WPA-Personal, WPA2-Personal, WPA2-Mixed, WPA-Enterprise, RADIUS, or WEP. (WPA stands for Wi-Fi Protected Access, which is a security standard stronger than WEP encryption. WPA2 is a stronger version of WPA..."

Commented:
Have you looked at Buffalo routers and loading dd-wrt?  

I have used a bunch of Broadcom based routers loaded with dd-wrt firmware using WDS encrypted with WPA2 / AES with no issues.  

The added benefit is that if you want to use them as an access point you can.  

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Looks like the Buffalo WHR-HP-G54 just might do it.

It works as an AP like you say, "External Switch To Change Between Wireless Router and Wireless Access Point"

And it looks like it just might support WPA2.  The dd-wrt website says it supports this although loading a 3rd party's firmware seems dicey to me.

But you hit the nail on the head.  Nice find, very impressive.

http://www.buffalotech.com/products/wireless/wireless-g-high-power/wireless-g-high-power-router-and-access-point-whr-hp-g54/


ScreenShot006.png

Author

Commented:
Nice find, very impressive.

Author

Commented:
Well, now I'm reading from the manual under "Configuring a WDS Bridge:"

"Note that TKIP and AES encryption schemes will not work with WDS; you must use WEP for encryption."

So no, this doesn't work.

http://cdn.cloudfiles.mosso.com/c85091/WHR-HP-G54-Manual_web.pdf
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.