D-Link Forums

The Graveyard - Products No Longer Supported => Routers => DIR-868L => Topic started by: Hawaii_Beach on January 14, 2018, 03:07:14 PM

Title: No WPA2 only?!
Post by: Hawaii_Beach on January 14, 2018, 03:07:14 PM
I bought a DIR-868L today for my gramdma, since I also have owned one the past 3+ years and haven't had any issues with mine.

Thing is that I have Rev A, but the one I bought today was Rev B. Turnes out theres a lot of differences, like a new gui etc.

Getting to the point, I was setting up the wifi when I noticed that you cannot select WPA2 only, so it's WPA(1) + WPA2 and theres no way to change it! WPA is insecure and I want it gone!


Title: Re: No WPA2 only?!
Post by: FurryNutz on January 14, 2018, 03:15:17 PM
Welcome! (http://forums.dlink.com/index.php?topic=49573.0)

Mixed modes are only supported.
Title: Re: No WPA2 only?!
Post by: Hawaii_Beach on January 15, 2018, 09:39:57 AM
.. is this a joke?! Why is there not support for disabling WPA? Is there seriously nothing I can do??
Title: Re: No WPA2 only?!
Post by: FurryNutz on January 15, 2018, 09:43:05 AM
It's mixed mode for compatibility reasons.

You might contact your regional D-link support office on the phone and ask them if something can be done to make a separate WPA2 only selection. Not sure if this will happen. Something D-Link would have to review.
Title: Re: No WPA2 only?!
Post by: GreenBay42 on January 15, 2018, 09:53:52 AM
Hmm I know Rev A did have the WPA2 only option. Not sure why they took that out. Unfortunately this product was discontinued a few years ago so not sure if any new firmware will be released.
Title: Re: No WPA2 only?!
Post by: FurryNutz on January 15, 2018, 09:55:42 AM
Ya Rev A has WPA 2 only. The New UI only has Mixed WPA/WPA2 Personal. Just like with all new routers using the new UI. This something that could be looked at? At most, WPA is for older devices, however I only use WPA2 if I get a chance to...Most current devices are WPA2 compliant anyways. IT would be nice to have the ability to select WPA2 only...if possible on newer generation supported routers.  ;)
Title: Re: No WPA2 only?!
Post by: Hawaii_Beach on January 15, 2018, 11:18:03 AM
(https://i.imgur.com/rNr3x3N.png)
Yes, with Rev A you can select which version of WPA you want to use, accepted values are WPA, WPA2 or Shared.
And sorry but I don't give a damn about compatibility with older clients, especally when WPA is vulnerable to many hacks.

You'd expect a product from dlink, costing over $90 to accually have a WPA2 only mode... I guess I'll have to contact them myself? Don't the devs ever read the forum?
Title: Re: No WPA2 only?!
Post by: FurryNutz on January 15, 2018, 12:06:46 PM
Ya thats the old UI. Not seen in the new UI. Well I'm sure there are some users out there that may have use of WPA regardless of any possible vulnerabilities. We still see users using WEP here as well. And why it's still supported in the UI. Even though it has it's own vulnerabilities. It will be up to the wifi cert group who over sees how Mfrs support security modes to grant Mfrs to mandate and exclude what modes everyone as access too. We finally saw mode A stopped being supported. Mode B is still used here and there. One day that will fall off. Maybe WEP and WPA will too. Up to them though.

D-Links security mode selects what devices support so if most if all of your devices support WPA2, then the router will pic WPA2.

I recommend you contact your regional D-Link office and ask about this. The 868L is no longer supported here in the USA so you might have more luck in your region if there still supporting Rev B.

Good Luck.
Title: Re: No WPA2 only?!
Post by: Hawaii_Beach on January 15, 2018, 01:50:41 PM
Yea I totally agree, why not ignore that WPA isn't secure at all and ignore the fact.... I guess I'll contact dlink
Title: Re: No WPA2 only?!
Post by: FurryNutz on January 15, 2018, 01:52:20 PM
So is WEP, still being used.  ::)

Let us know how it goes.

Title: Re: No WPA2 only?!
Post by: GreenBay42 on January 15, 2018, 02:02:20 PM
WPA is not secure at all? Is there a specific exploit you are worried about?  The client when negotiating with the router will select WPA or WPA2. The router will automatically adjust.
Title: Re: No WPA2 only?!
Post by: Hawaii_Beach on February 20, 2018, 02:46:23 AM
what a joke
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 20, 2018, 08:50:01 AM
Ive had zero issues with how the router handles wireless security.

Title: Re: No WPA2 only?!
Post by: GreenBay42 on February 20, 2018, 09:08:40 AM
If your clients support WPA2, it will connect using WPA2 only. Most devices default to WPA2. The only thing having a WPA2-only feature in the router is that if clients do not support WPA2, it won't be able to connect.

I do not know why they took it out on this revision, but if your clients support WPA2 it will use it.
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 20, 2018, 09:11:03 AM
Since this router is EOL, you can look into using 3rd party FW like DD-WRT. I've installed WRT on my 868L and it works. May have better features your looking for and help extend the routers life.
http://forums.dlink.com/index.php?board=610.0 (http://forums.dlink.com/index.php?board=610.0)
Title: Re: No WPA2 only?!
Post by: nlost on January 02, 2021, 09:50:40 AM
Sorry to revive this topic, but with more than 4k views, I think my solution is worth sharing.
The DIR-868L revision B1 and C1 have a dumbed-down interface where it is not possible to select WPA2 with AES only; however, this is only a web UI issue and it can be tricked to select this option anyway.

To proceed, go to Settings > Wireless, and open your browser's console (on Chrome, press F12, press Esc a few times to locate the console at the bottom of the screen).
In the console, if you type:
Code: [Select]
document.getElementById("security_24").valuethen press Enter, it should show you:
Code: [Select]
"WPAORWPA2-PSK"
Now, type:
Code: [Select]
opt = document.createElement('option');
opt.value = 'WPA2-AES';
s=document.getElementById("security_24");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;

opt = document.createElement('option');
opt.value = 'WPA2-AES';
s=document.getElementById("security_5");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;
then press Enter.

This will "select" WPA2 with AES only for both the 2.4GHz and 5GHz settings.

Toggle and revert any settings to enable the Save button (e.g., add a space to your passphrase and remove it), and click Save.
You will not be able to see the change reflected from the web UI, but if you look at the network requests, you will see that it's effective. One of the requests to /HNAP1/ will return something like:
Code: [Select]
<GetWLanRadioSecurityResponse xmlns="http://purenetworks.com/HNAP1/">
<GetWLanRadioSecurityResult>OK</GetWLanRadioSecurityResult>
<Enabled>true</Enabled>
<Type>WPA2-PSK</Type>
<Encryption>AES</Encryption>

Enjoy!

----
EDIT: You will need to redo this operation each time you want to change the WiFi settings, as the web interface will default back to WPA+WPA2 when you submit new changes.

Note also that the guest network's wireless security is managed separately.
If you do the procedure above you will end up with only the main network using AES only:
(https://i.imgur.com/xKvePdy.png)

To ensure that the guest network is also WPA2-AES only, the procedure is slightly different. On the Guest WiFi settings page, open the browser's console (see above), then paste this code, and press Enter. It will return you "undefined", this is fine.
Code: [Select]
function SetResult_3rd(result_xml)
{
HNAP_WLanRadioSecurity = result_xml;
if (result_xml != null)
{
result_xml.Set("SetWLanRadioSecurity/RadioID", "RADIO_2.4GHz_Guest");
if (document.getElementById("password_24g").value != "")
{
result_xml.Set("SetWLanRadioSecurity/Enabled", "true");
result_xml.Set("SetWLanRadioSecurity/Type", "WPA2-PSK");
result_xml.Set("SetWLanRadioSecurity/Encryption", "AES");
result_xml.Set("SetWLanRadioSecurity/KeyRenewal", "3600");
result_xml.Set("SetWLanRadioSecurity/Key", document.getElementById("password_24g").value);
}
else { result_xml.Set("SetWLanRadioSecurity/Enabled", "false"); }
// Send HNAP to DUT
HNAP.SetXMLAsync("SetWLanRadioSecurity", result_xml, function(xml) { SetResult_4th(xml); });
}
else { if (DebugMode == 1) { alert("[!!SetXML Error!!] Function: SetResult_3rd"); } window.location.reload(); }
}
function SetResult_5th(result_xml)
{
var SetResult_5th = result_xml.Get("SetWLanRadioSettingsResponse/SetWLanRadioSettingsResult");
if (SetResult_5th == "OK")
{
var tmpxml = HNAP_WLanRadioSecurity;
tmpxml.Set("SetWLanRadioSecurity/RadioID", "RADIO_5GHz_Guest");
if (document.getElementById("password_5g").value != "")
{
tmpxml.Set("SetWLanRadioSecurity/Enabled", "true");
tmpxml.Set("SetWLanRadioSecurity/Type", "WPA2-PSK");
tmpxml.Set("SetWLanRadioSecurity/Encryption", "AES");
tmpxml.Set("SetWLanRadioSecurity/KeyRenewal", "3600");
tmpxml.Set("SetWLanRadioSecurity/Key", document.getElementById("password_5g").value);
}
else { tmpxml.Set("SetWLanRadioSecurity/Enabled", "false"); }
// Send HNAP to DUT
HNAP.SetXMLAsync("SetWLanRadioSecurity", tmpxml, function(xml) { SetResult_6th(xml); });
}
if (SetResult_5th == "ERROR") { if (DebugMode == 1) { alert("[!!SetXML Error!!] Function: SetResult_5th"); } window.location.reload(); }
}

This will redefine 2 functions to enforce AES only when you submit the new settings.
Next, similar to the main network's page, toggle and revert any settings to enable the Save button (e.g., add a space to your passphrase and remove it), and click Save. Again, do this every time you change something on the Guest WiFi settings page.
Title: Re: No WPA2 only?!
Post by: barts on January 20, 2021, 06:36:27 AM
Sorry to revive this topic, but with more than 4k views, I think my solution is worth sharing.

I made an account just to say: thank you!
Title: Re: No WPA2 only?!
Post by: nlost on January 28, 2021, 10:42:30 PM
I added instructions for the guest network in the original post.
Title: Re: No WPA2 only?!
Post by: FurryNutz on January 29, 2021, 01:48:01 PM
So I thought I would try this on different model D-Link router that also has this same WPA Auto problem.
I'm getting ""None"" when I copy and paste in
Code: [Select]
document.getElementById("security_24").value in Chromes console

I can apply the bock of code that you said to input, then I get
Code: [Select]
document.getElementById("security_24").value"WPA2-AES" after the code is sent. However when I change someting in the UI to enable the Save button, select the Save button and have the UI save it, sending document.getElementById("security_24").value results in ""None"" after the router is back to ready.

I am I doing this right or is maybe this other model router not supporting of this modification?

I added instructions for the guest network in the original post.
Title: Re: No WPA2 only?!
Post by: nlost on February 09, 2021, 09:35:35 AM
If you don't get anything returned from
Code: [Select]
document.getElementById("security_24").value, then my code won't work. I guess your web interface is slightly different than with the 868L. Can you copy the source of the WiFi settings page? Just strip your info if they are included.
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 10, 2021, 03:42:04 PM
What do I need to do to capture the source information you need?

If you don't get anything returned from
Code: [Select]
document.getElementById("security_24").value, then my code won't work. I guess your web interface is slightly different than with the 868L. Can you copy the source of the WiFi settings page? Just strip your info if they are included.
Title: Re: No WPA2 only?!
Post by: nlost on February 18, 2021, 03:52:24 AM
Right-click on the page > View page source. Or Ctrl-U. Just copy here the HTML source code of the page.
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 18, 2021, 09:01:59 PM
Ok, so is there a particular section of the HTML code your interested in? I copied the code from the wifi settings page and it's over 2000 Lines.  :o

Right-click on the page > View page source. Or Ctrl-U. Just copy here the HTML source code of the page.
Title: Re: No WPA2 only?!
Post by: nlost on February 19, 2021, 11:07:33 PM
I don't know what to look for, but I can guess if the page is somehow similar, maybe you have a Javascript function called "SetWLanSecurity" that might be interesting to look at, can you copy this one? It's probably <100 lines.
On the 868L, this function contains a big case switch that depends on the WiFi security mode, which I try to force to something else.
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 20, 2021, 12:07:52 PM
I found nothing for "SetWLanSecurity" however I did find "GetWLanSecurity" and "SetWLanRadioSecurity". 172 lines with SetWLanRadioSecurity in them.

For the types I see WEP, WPAORWPA2, SHARED etc. However I see in some lines of code:
Code: [Select]
xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Type", "WPA-PSK"); and
xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Encryption", "AES");

Do I presume these values may need to be used as well?

More investigation, I did the following:
Code: [Select]
document.getElementById("security_smartconnect").value
"WPA/WPA2-Personal"
Since this is Tri band router that uses Smart Connect and it can not be disabled, I presume the values needed for this model router will differ some.

Also I noticed these lines which we may need to check into:
Code: [Select]
security_24.options.add(new Option(security, security));
security_24.options.add(new Option(security, security));
security_smartconnect.options.add(new Option(security, security));
security_smartconnect.options.add(new Option(security, security));
security_5.options.add(new Option(security, security));
security_5.options.add(new Option(security, security));
security_5hi.options.add(new Option(security, security));
security_5hi.options.add(new Option(security, security));

I tried the following:
Code: [Select]
opt = document.createElement('option');
opt.value = 'WPA2-PSK';
s=document.getElementById("security_24");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;

opt = document.createElement('option');
opt.value = 'WPA2-PSK';
s=document.getElementById("security_smartconnect");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;

opt = document.createElement('option');
opt.value = 'WPA2-PSK';
s=document.getElementById("security_5");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;

opt = document.createElement('option');
opt.value = 'WPA2-PSK';
s=document.getElementById("security_5hi");
s.appendChild(opt);
s.options.selectedIndex=s.options.length-1;

Sending:
Code: [Select]
document.getElementById("security_smartconnect").valueReturns:
"WPA2-PSK"

After I select the Save button after the code was sent:
Code: [Select]
document.getElementById("security_smartconnect").valueReturns:
"WPA/WPA2-Personal"

And iPhone still reports "week security".

I presume the above code needs some adjusting.

I don't know what to look for, but I can guess if the page is somehow similar, maybe you have a Javascript function called "SetWLanSecurity" that might be interesting to look at, can you copy this one? It's probably <100 lines.
On the 868L, this function contains a big case switch that depends on the WiFi security mode, which I try to force to something else.
Title: Re: No WPA2 only?!
Post by: nlost on February 20, 2021, 09:39:55 PM
It sounds like it's a pretty different code. I guess you can't customize what SmartConnect uses for the WiFi security. Did you try disabling this feature first before running the code?
To get a proper understanding of the code, I would still need to see the whole code. Can you send it to pastebin.com and link it here?

Also, which model is this?
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 21, 2021, 09:55:12 AM
Sent you a PM.

I can't disable SC on COVR systems. It D-Link one model that can't disable SC since there a MESH system.

COVR-3902.
Title: Re: No WPA2 only?!
Post by: FurryNutz on February 22, 2021, 02:16:59 PM
Ok, so this works on COVR-3902.
NOTE: This does not work with the 1300 extender unit that comes with the 3902 system at this time.  :(

Using Chrome browser.
Log in to the routers web page.
Go to the wireless settings section on the routers web page.
Press F12 on your keyboard until you see the browser console on the right side of the browser window.
Select the MIMO button to disable it, then re-enable it, the SAVE button should be enabled here. Don't press Save.
Copy and paste the following lines of code into the browser console prompt: From "function" all the way down to the last bracket.
Code: [Select]
function SaveSmartConnectValue(id, band) {
    /* set wlan radio settings */
    var xml_SetWLanRadioSettings = HNAP.GetXML("SetWLanRadioSettings");
    var xml_SetSmartconnectSettings = HNAP.GetXML("SetSmartconnectSettings");
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/RadioID", id);
    if (document.getElementById("mimo_enable_ck").checked)
        xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/MuMiMo", "1");
    else
        xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/MuMiMo", "0");
    var enable = document.getElementById("status_" + band + "_ck").checked;
    if (enable == "1") {
        xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/Enabled", "true");
        xml_SetSmartconnectSettings.Set("SetSmartconnectSettings/Enabled", "true");
        xml_SetSmartconnectSettings.Set("SetSmartconnectSettings/GZ_Enabled", "true");
    } else {
        xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/Enabled", "true");
        xml_SetSmartconnectSettings.Set("SetSmartconnectSettings/Enabled", "false");
        xml_SetSmartconnectSettings.Set("SetSmartconnectSettings/GZ_Enabled", "false");
    }
    var xml_SetSmartconnectSettingsResult = HNAP.SetXML("SetSmartconnectSettings", xml_SetSmartconnectSettings);
    var wifi_ssid = document.getElementById("wifiName_" + band).value;
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/SSID", wifi_ssid);
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/Mode", "802.11bgn");
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/Channel", "0");
    var txpower = document.getElementById("transmissionPower_" + band).value;
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/TXPower", txpower);
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/ChannelWidth", "0");
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/SSIDBroadcast", "true");
    var schedule = document.getElementById("schedule_" + band).value;
    schedule = encode_char_text(schedule);
    xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/ScheduleName", schedule);
    if (band == 24) {
        var coeStatus = COMM_ToSTRING(COMM_ToBOOL(document.getElementById("coexistence_" + band + "_ck").checked));
        xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/Coexistence", coeStatus);
    }
    /* set wlan radio security */
    var xml_SetWLanRadioSecurity = HNAP.GetXML("SetWLanRadioSecurity");
    xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/RadioID", id);
    var security_mode = document.getElementById("security_" + band).value;
    var password = document.getElementById("password_" + band).value;
    var weptype;
    if (password.length == 5 || password.length == 10)
        weptype = "WEP-64";
    else if (password.length == 13 || password.length == 26)
        weptype = "WEP-128";
    switch (security_mode) {
        case "None":
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Enabled", "false");
            break;
        case "WEP":
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Enabled", "true");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Type", "WEP-SHARED");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Encryption", weptype);
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Key", password);
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/KeyRenewal", "3600");
            break;
        case "WPA/WPA2-Personal":
            // changes here
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Enabled", "true");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Type", "WPA2-PSK");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Encryption", "AES");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/Key", password);
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/KeyRenewal", "3600");
            break;
    }
    if (enable == "1" && isWifiSonEnb == "true") {
        if ((oldSsid != wifi_ssid) || (oldPwd != password)) {
            xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/isChangedSsidPwd", "1");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/isChangedSsidPwd", "1");
        } else {
            xml_SetWLanRadioSettings.Set("SetWLanRadioSettings/isChangedSsidPwd", "0");
            xml_SetWLanRadioSecurity.Set("SetWLanRadioSecurity/isChangedSsidPwd", "0");
        }
    }
    var xml_SetWLanRadioSettingsResult = HNAP.SetXML("SetWLanRadioSettings", xml_SetWLanRadioSettings);
    var xml_SetWLanRadioSecurityResult = HNAP.SetXML("SetWLanRadioSecurity", xml_SetWLanRadioSecurity);
}
Including the last bracket.
The browser console will return a "undefined" which is expected.

Go back to the wireless settings page and now select Save. Let the router reboot.

Check your iOS device. Should no longer see the "weak security" message when it's connected to the COVR system. This works on my iPhone 12 Max iOS 14.4

NOTE: This modification will persist thru a reboot or power cycle of the router. However, if you make any changes to the wireless settings page, You'll need to re-apply the block of code again prior to selecting the Save button using the process above.