Hello, hope someone can enlighten me on this. We have a 5508 WLC with a few WAP's (1131's and 1242's). Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required). However, from time to time I see clients being associated but not authenticated as reported by the WLC. Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated? Perhaps I'm not quite clear about the concept. Thanks in advance.
As Rob points out ...
The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.
Clear as mud isn't it
I like to think of it this way, in the Library at our campus
there are hundreds of students most are using laptops. If we look at the AP's
in this area we might see 120 Associations for example but we may only see 65
Authentications. In this case 55 users laptops have Associated but not gone
through the Authentication process.
Here is Cisco's explanation;
Wireless Client Association
In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.
Figure 3-6 Client Association
A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.