Troubleshooting Wired-Equivalent-Protection
and WiFi Protected Access
If you're interested to read more about the value of encryption and what your options are, look no further than my Encryption page, where I lay out where the encryption we find on our computers comes from and why it is so important to use. Plus, I also make encryption recommendations there by base station model.
The most important thing to remember when it comes to sercuring wireless networks (or any network for that matter), is to do it in small incremental steps. think of the process like a series of doors in a hallway. Any locked door can deny access, some are harder to bypass than others. Yet, in order to allow your computer to get past all these doors, your computer and base station have to be set up properly.
Patience is a virtue, and a potential time-saver when it comes to securing your network. "Update" the base station after every potential step that can lock you out, like using Access Control, WEP/WPA, etc. Another good thing to realize is the idiosyncracies of these forms of encryption, like the length of the password, and how to get non-Apple machines onto the Apple Base Station
So start off with a "Open" network, the kind of unsecured network that you and I can find in any neighborhood these days and the default configuration for any access point that is shipped today. Now verify that your "non-secure" network allows you to surf to all sites, etc. Once you have a working baseline, you can take steps with confidence towards enabling security.
The order in which you enable certain aspects really is up to you. Furthermore, the number of "Doors" you want to enable to shut out potential hackers is also up to you. In most cases, enabling "128bit WEP" or "Personal WPA" is perfectly adequate and a good balance between controlling who gets on your network and ease of management. Enabling either encryption method then only requires you to share the passphrase with a visitor that you want to allow to use your network.
I've tried to logically group the scenarios. Before we begin: Capitalization is important! You must copy the passphrase exactly.
Apple ABS to Apple Hardware
Apple has made the use of WEP/WPA incredibly easy as long as you only use Apple hardware that supports Airport. On these machines, all you need to provide is a plaintext passphrase on computer that wants to connect. Even better, Apple has updated the firmware/software of the original "Airport" cards to allow such computers that run OSX 10.3+ to join WPA networks. However, there are a number of configurations that Apple does not support (even though the were supported in OS9), notably external PC-Cards in OS X.
Our Powerbook Lombard was happy as a clam in OS 9 with Airport and a Lucent WaveLAN card. Upgrade the Lombard to OS X, and you'll either have to hack the OS to allow the use of external PC Cards or use third-party freeware to do it for you. The beauty of this open source wireless driver is that it allows you to use any sort of password - Apple plaintext, hexadecimal, etc. However, they are still working on full AppleTalk support and supporting Ad-hoc wireless networks.
For those of us that require additional features like AppleTalk support, look no further than two vendors software drivers for OSX that allow the use of far more PC-Cards than the default Apple drivers. Since these vendors are writing software to support specific brands of cards, verify what you have, or want to use, before trying one of these drivers. For example, our Lucent WaveLAN card is supported perfectly by the driver from IOExperts. PC Cards based on the Atheros chipset are supported well by the OrangeWare driver.
Also, verify what kind of encryption these drivers support before trying to enable it on the base station. 128bit WEP is a sure bet, WPA was not the last time I checked (which admittedly was a while ago).
Apple ABS to Non-Apple Hardware
For non-Apple computers, the Airport Admin Utility allows you to convert your plaintext passphrase into a Network Equivalent Password (NEP). In Mac OS 9, the NEP can be discovered via the menu bar in the Admin Utility application. In Mac OS X, once you enable WEP via the Admin Utility you can click on the padlock in the main application window to discover the NEP. This is the passphrase you'll have to enter into the appropriate entry on your PC in the control panel folder.
On PCs, check the documentation of your wireless card manufacturer to see how it handles hexadecimal passwords. Some hexadecimal passwords need to have a "#" or other character added to the front of them, for example. iFelix has a great tutorial how to connect a WEP-enabled AEBS and Windows XP machine. I wish I had had that tutorial two weeks ago when I spent hours trying to get my stepfathers Vaio to behave.
I have no idea how this all works with Linux. If someone would like to educate me, please use the e-mail link at the bottom of this page to contact me. I'll gladly host relevant information here.
Non-Apple Access Point to Apple Hardware with Airport
Now things can get a bit tricky. What usually works is to get the hexadecimal passphrase from the access point you're using. Then, to tell your Apple that you're using a hexadecimal key, you need to add a "$" to the beginning of the phrase. So, if the password was "abc01923" then the phrase you should enter into the Airport password field should be "$abc1923".
Non-Apple Access Point to Apple Hardware without Airport
The open-source wireless driver mentioned above allows you to enter the password in hexadecimal form w/o modifications. Simply indicate to the control panel (via a handy pull-down menu) that the passphrase is in hexadecimal form. Copy the phrase exactly as is.
Non-Apple Access Point to Non-Apple Hardware
Sorry, this is beyond the scope of this site.
So, I hope this was helpful. If you have anything to add, please contact me via the link below. I'll try to keep these pages as fresh and relevant as possible.
Cheers! Constantin von Wentzel