Cannot get 64 Char WPA to work

RouterOS Wireless Networking
1

I am having a hard time getting WPA (tkip) to work using a 64 Char hex key

Does MT support 256 Bit WPA?

MY log error is “unicast key exchange timeout”

If is use a shorter key (13 char) all is well

At this point all im trying to connect from is a Windows XP sp2 notebook.

Please take a look at my config and tell me what im doing wrong.

I hope this is enough information.

Thank you


RouterOS 3.0rc1

software id =

/interface wireless security-profiles
set default authentication-types=“” eap-methods=passthrough group-ciphers=“”
group-key-update=5m interim-update=0s mode=none name=“default”
radius-eap-accounting=no radius-mac-accounting=no
radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
static-algo-0=none static-algo-1=none static-algo-2=none
static-algo-3=none static-key-0=“” static-key-1=“” static-key-2=“”
static-key-3=“” static-sta-private-algo=none static-sta-private-key=“”
static-transmit-key=key-0 supplicant-identity=“MikroTik”
tls-certificate=none tls-mode=no-certificates unicast-ciphers=“”
wpa-pre-shared-key=“” wpa2-pre-shared-key=“”
add authentication-types=wpa-psk group-ciphers=tkip group-key-update=5m
interim-update=0s mode=dynamic-keys name=“WPA” radius-eap-accounting=no
radius-mac-accounting=no radius-mac-authentication=no
radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX
radius-mac-mode=as-username static-algo-0=none static-algo-1=none
static-algo-2=none static-algo-3=none static-key-0=“” static-key-1=“”
static-key-2=“” static-key-3=“” static-sta-private-algo=none
static-sta-private-key=“” static-transmit-key=key-0 supplicant-identity=“”
tls-certificate=none tls-mode=no-certificates unicast-ciphers=tkip
wpa-pre-shared-key=“446824674961466842277365572c3e76632d3b624372655443516a3
d58246874” wpa2-pre-shared-key=“”
/interface wireless
set 0 ack-timeout=dynamic allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a
area=“” arp=enabled band=2.4ghz-b/g basic-rates-a/g=6Mbps
basic-rates-b=1Mbps burst-time=disabled comment=“” compression=no
country=no_country_set default-ap-tx-limit=0 default-authentication=yes
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none
disable-running-check=no disabled=no disconnect-timeout=3s
frame-lifetime=0 frequency=2437 frequency-mode=manual-txpower hide-ssid=no
hw-retries=15 mac-address=00:0B:6B:37:B0:51 max-station-count=2007
mode=ap-bridge mtu=1500 name=“wlan1” noise-floor-threshold=default
on-fail-retry-time=100ms periodic-calibration=default
periodic-calibration-interval=60 preamble-mode=both
proprietary-extensions=post-2.9.25 radio-name=“000B6B37B051”
rate-set=default scan-list=default security-profile=WPA ssid=“WPATEST”
station-bridge-clone-mac=00:00:00:00:00:00
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default
update-stats-interval=disabled wds-cost-range=50-150
wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no
wds-mode=disabled wmm-support=disabled
set 1 ack-timeout=dynamic allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a
area=“” arp=enabled band=2.4ghz-b/g basic-rates-a/g=6Mbps
basic-rates-b=1Mbps burst-time=disabled comment=“” compression=no
country=no_country_set default-ap-tx-limit=0 default-authentication=yes
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none
disable-running-check=no disabled=yes disconnect-timeout=3s
frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower hide-ssid=no
hw-retries=15 mac-address=00:0B:6B:35:8D:C5 max-station-count=2007
mode=ap-bridge mtu=1500 name=“wlan2” noise-floor-threshold=default
on-fail-retry-time=100ms periodic-calibration=default
periodic-calibration-interval=60 preamble-mode=both
proprietary-extensions=post-2.9.25 radio-name=“000B6B358DC5”
rate-set=default scan-list=default security-profile=default
ssid=“MikroTik” station-bridge-clone-mac=00:00:00:00:00:00
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default
update-stats-interval=disabled wds-cost-range=50-150
wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no
wds-mode=disabled wmm-support=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00
frame-size=300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name=“” memory-limit=10
multiple-channels=no only-headers=no receive-errors=no
streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
[admin@MikroTik] /interface wireless>

2

I have tried a 64 character WPA key on server routerboards and a few different RouterOS versions with CM9’s to no avail

Has anyone got a 64 character WPA key to work with router OS?


Thank you

Here is my log
echo: wireless,debug wlan1: 00:90:4B:71:54:94 attempts to connect
echo: wireless,debug wlan1: 00:90:4B:71:54:94 not in local ACL, by default accep
t
[admin@MikroTik] >
echo: wireless,debug wlan1: 00:90:4B:71:54:94 attempts to connect
echo: wireless,debug wlan1: 00:90:4B:71:54:94 not in local ACL, by default accep
t
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: 00:90:4B:71:54:94 attempts to connect
echo: wireless,debug wlan1: 00:90:4B:71:54:94 not in local ACL, by default accep
t
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - dec
ided to deauth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to dea
uth: 4-way handshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: 00:90:4B:71:54:94 attempts to connect
echo: wireless,debug wlan1: 00:90:4B:71:54:94 not in local ACL, by default accept
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >
echo: wireless,debug wlan1: reject 00:90:4B:71:54:94, banned (last failure - decided to deauth: 4-way han
dshake timeout (15))
[admin@MikroTik] >

3

your routeros versions are too old - please upgrade. And after that if you have problems, email tosupport@mikrotik.com with detailed info.

4

Dear Mikrotik Users, Please help me understand this response from Mikrotik

Thank you

I am unable to connect a windows xp sp2 laptop to a mikrotik AP using a
64 character WPA key. I can connect using shorter keys but not 64
characters. My radio is a CM9
I have tried 2.9.46 and 3.0rc4


Response from Serjegs
Indeeed RouterOS ‘pre-shared-key’ option (as well as different vendors call
it) is preshared-key ‘passphrase’.
Passphrase lenght is from 8 to 63 ASCII characters. Special algortithm is used to generate from preshared-key-passphrase (that you set on 'interface wireless security-profile configuration) and SSID, these value are taken to generate preshared-key/digit that is used as ‘master-key’, it will be 64 characters
(64*4=256 master key).

As far as I know standart Windows XP is using the same passphrase to set WPA settings, if you use third-part tool for wireless configuration and need to enter preshared-key-passphrase directly, you need to find tool that will generate this digit from SSID un ‘pre-shared-key’ configured at RouterOS.

I do not have Windows, Linux allows to use tool ‘wpa_passphrase’, try to find in google the same option for Windows, that may generate preshared-key from passphrase and SSID.

Regards,
Sergejs

Come to MUM EGYPT
Sharm el Sheikh, November 21-22
http://mum.mikrotik.com

5

A devices can understand a key only in hexadecimal format. The key in hexadecimal format are too hard (expecially if they are long) to remember, so, many firmware engineer, have developed an algo to convert an alphanumeric key (more easy to remember) to a hexadecimal key. This algo IS NOT a standard, so, if you type a key in alphanumerical format on WinXP and on ROS, the result (the REAL hexadecimal key) may be very different.
If you want to be sure, type your key in hexadecimal format everywhere or use THE SAME firmware everywhere.