Concept of association and authentication?

Answered Question

Hello, hope someone can enlighten me on this.  We have a 5508 WLC with a few WAP's (1131's and 1242's).  Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required).  However, from time to time I see clients being associated but not authenticated as reported by the WLC.  Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated?  Perhaps I'm not quite clear about the concept.  Thanks in advance.


Eric

Correct Answer by George Stefanick about 6 years 10 months ago

As Rob points out ...


The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

Correct Answer by Rob Huffman about 6 years 10 months ago

Hey Eric,



Clear as mud isn't it


I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.


Here is Cisco's explanation;


Wireless Client Association


In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.




Figure 3-6 Client Association


A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.




http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3



Cheers!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Rob Huffman Thu, 09/16/2010 - 11:41
User Badges:
  • Super Red, 40000 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Eric,


I believe the statement;


"a client can only be "associated" after it's successfully authenticated?"


is actually backwards


A client can be associated without being authenticated but not vise-versa.


Cheers!

Rob

Thanks for the quick response, Rob.  The client being associated but not authenticated in fact didn't have any IP address assigned, which was good, and agreed with what you pointed out regarding the sequence of assoc and auth.  But how would someone be able to only assciate with the WAP?  I thought the client would have been kicked out if it fails the authentication ...


Eric

Correct Answer
Rob Huffman Fri, 09/17/2010 - 05:33
User Badges:
  • Super Red, 40000 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hey Eric,



Clear as mud isn't it


I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.


Here is Cisco's explanation;


Wireless Client Association


In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.




Figure 3-6 Client Association


A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.




http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3



Cheers!

Rob

Correct Answer
George Stefanick Fri, 09/17/2010 - 14:25
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

As Rob points out ...


The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

George Stefanick Mon, 09/20/2010 - 09:12
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Eric,i think we all scratched our head at that one starting out in wifi ...

Craddockc Wed, 05/16/2012 - 14:21
User Badges:

What would cause the "authentication" (if you even want to call it that) between the AP and the client to fail in an "Open Authentication" scenario? I also see this on my wireless network at work. We have a 5508 with 70 LW AP's using PEAP EAP authentication, and every now and again you see a client that is Associated but not Authenticated.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network