Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19685
Views
10
Helpful
7
Replies

Concept of association and authentication?

Go to solution
eso
Level 1
Level 1

‎09-16-2010 11:31 AM - edited ‎07-03-2021 07:11 PM

Hello, hope someone can enlighten me on this.  We have a 5508 WLC with a few WAP's (1131's and 1242's).  Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required).  However, from time to time I see clients being associated but not authenticated as reported by the WLC.  Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated?  Perhaps I'm not quite clear about the concept.  Thanks in advance.

Eric

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎09-17-2010 05:33 AM

Hey Eric,

Clear as mud isn't it

I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.

Here is Cisco's explanation;

Wireless Client Association

In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.

Figure 3-6

Figure 3-6 Client Association

A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.


http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Cheers!

Rob

View solution in original post

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Rob Huffman

‎09-17-2010 02:25 PM

As Rob points out ...

The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

7 Replies 7

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎09-16-2010 11:41 AM

Hi Eric,

I believe the statement;

"a client can only be "associated" after it's successfully authenticated?"

is actually backwards

A client can be associated without being authenticated but not vise-versa.

Cheers!

Rob

0 Helpful

Go to solution
eso
Level 1
Level 1
In response to Rob Huffman

‎09-16-2010 11:55 AM

Thanks for the quick response, Rob.  The client being associated but not authenticated in fact didn't have any IP address assigned, which was good, and agreed with what you pointed out regarding the sequence of assoc and auth.  But how would someone be able to only assciate with the WAP?  I thought the client would have been kicked out if it fails the authentication ...

Eric

0 Helpful

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎09-17-2010 05:33 AM

Hey Eric,

Clear as mud isn't it

I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.

Here is Cisco's explanation;

Wireless Client Association

In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.

Figure 3-6

Figure 3-6 Client Association

A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.


http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Cheers!

Rob

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Rob Huffman

‎09-17-2010 02:25 PM

As Rob points out ...

The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
eso
Level 1
Level 1
In response to George Stefanick

‎09-20-2010 07:26 AM

Thank you both, Rob and George.  I guess the main concept I missed was this "authentication" was not the "AAA authentication" yet

Eric

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to eso

‎09-20-2010 09:12 AM

Eric,i think we all scratched our head at that one starting out in wifi ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Craddockc
Level 3
Level 3
In response to George Stefanick

‎05-16-2012 02:21 PM

What would cause the "authentication" (if you even want to call it that) between the AP and the client to fail in an "Open Authentication" scenario? I also see this on my wireless network at work. We have a 5508 with 70 LW AP's using PEAP EAP authentication, and every now and again you see a client that is Associated but not Authenticated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card