question

Matthew Carpenter matt
Mon May 17 11:58:03 PDT 2004 

You're almost right.  The SSID (aka essid) is the Network Identifier, and can be letters and numbers, etc...  Linksys AP's default to "linksys", Netgear often use "NETGEAR", Cisco defaults to "tsunami", etc...  These are identifiers which denote a wireless network.  Making several AP's use the same SSID is akin to drawing a boundary around the 50 states to make up the US.  It's the joining of multiple AP's for the common purpose of making one network.  SSID's are not private and can be seen using Kismet pretty much no matter what you do... so don't assume otherwise.  And DON'T use the SSID of "mycompanyname" or whatever, then people will know who they are hacking into!  The ESSID needs to be the same on the NIC (network interface card) and the AP (access point)

This is not to be confused with the BSSID, which is basically the MAC address of an AP, and should be unique given an ESSID.

Channel choice is also made when configuring the AP.  Most common is 6, although there are 11 choices, each using a combination of frequencies in the 2.4GHz range.  Channels 1, 6, and 11 use frequencies which do not overlap, whereas the others do.  So these channels are the most common, and are used to design wireless networks that can share the airwaves overlapping without interfering with each other.

Encryption has become quite a topic in wireless networks.  The most common encryption is WEP (Wired Equivalency Protocol).  Cisco also has proprietary LEAP (Lightweight Extended Authentication Protocol), there is also EAP-TLS (EAP with Transport Layer Security) and PEAP (Protected EAP) both of which use Certificates and TLS much like Sendmail and Postfix use TLS.  All three "EAP" protocols involve a RADIUS server such as CiscoSecure ACS or FreeRadius.

WEP is considered insecure because in it's raw form there are numerical weaknesses whereby parts of the original key are leaked out through the imperfect implementation of MD5 Hashing.  This weakness is commonly avoided these days by AP's and NIC's which avoid these weak keys.  Given several months and 10's of billions of 802.11 frames, I have never been able to crack a 128bit key from a late-model Cisco 350 AP.

WEP is implemented in either 40bit or 128bit form.  In reality, you configure 104bits of the 128bit key.  This is because the NIC and AP use a 3-byte (24bit) Initialization Vector (IV) which changes for each frame.  This allows each frame to be encoded differently from most others.  What you need to know, is that you are only left with 104bits (13bytes) for the key.

If you are using SuSE 8.2 or better, you will want to set up the wireless card using YAST2 under network devices.  Wireless support and pcmcia are options, which allow you to configure your wireless card easily.  You must make sure that the Wireless card is the only (or at least the first) network card available to Linux. If not, you need to stop all NICs and start the wireless card first.  Otherwise SuSE will not allow the wireless card to apply the default gateway from DHCP... even if no other default gateway has been defined.  I have complained to SuSE about this and expect it will be resolved in 9.1.

Good luck!


On Fri, 9 Jan 2004 09:06:43 +0100
Roger Oberholtzer <roger at opq.se> wrote:

> I am probably wrong, but the SSID is a number independent of encryption.
> Whatever SSID is set to on the router must also be used on the wireless
> client. I guess it is an initial check before a connection can be made.
> iwconfig calls this 'essid'. IIRC, it is, initially, usually set to
> something like 6. You could try 'essid off' or 'essid any' to see if your
> card allows this. If not, then I guess you must change this where a
> different SSID is in use. This is typically only done to mark a network as
> 'private'. Otherwise, most probably leave it at the default. I do not
> remember where I saw this, but I think you can also have a list of values,
> and each will be tried. It could have been either Gentoo or SUSE. If yiu do
> not find it, let me know and I can look.
> 
> As to encryption, well, I have had some difficulty with that. Oddly, my
> D-LINK AP-2000+ will not let me in to the web admin over the wireless card.
> I have not had a chance to hook it up via the ethernet to access that way.
> The linuxant drivers have just added WPA support, which I was waiting for so
> I could just do this once (JDTO). It also seems to involve a firmware
> upgrade on my access point. I did not want to disturb family usage over
> Christmas. Next block of time I get I will sort this out.
> 


-- 
Matthew Carpenter 
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Network Consulting, Integration & Support
* Web Integration and E-Business

More information about the Linux-users mailing list