Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
eso
New Member

Concept of association and authentication?

Hello, hope someone can enlighten me on this.  We have a 5508 WLC with a few WAP's (1131's and 1242's).  Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required).  However, from time to time I see clients being associated but not authenticated as reported by the WLC.  Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated?  Perhaps I'm not quite clear about the concept.  Thanks in advance.

Eric

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Red

Re: Concept of association and authentication?

Hey Eric,

Clear as mud isn't it

I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.

Here is Cisco's explanation;

Wireless Client Association

In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.


Figure 3-6 Client Association

A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.


http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Cheers!

Rob

Re: Concept of association and authentication?

As Rob points out ...

The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
7 REPLIES
Hall of Fame Super Red

Re: Concept of association and authentication?

Hi Eric,

I believe the statement;

"a client can only be "associated" after it's successfully authenticated?"

is actually backwards

A client can be associated without being authenticated but not vise-versa.

Cheers!

Rob

eso
New Member

Re: Concept of association and authentication?

Thanks for the quick response, Rob.  The client being associated but not authenticated in fact didn't have any IP address assigned, which was good, and agreed with what you pointed out regarding the sequence of assoc and auth.  But how would someone be able to only assciate with the WAP?  I thought the client would have been kicked out if it fails the authentication ...

Eric

Hall of Fame Super Red

Re: Concept of association and authentication?

Hey Eric,

Clear as mud isn't it

I like to think of it this way, in the Library at our campus

there are hundreds of students most are using laptops. If we look at the AP's

in this area we might see 120 Associations for example but we may only see 65

Authentications. In this case 55 users laptops have Associated but not gone

through the Authentication process.

Here is Cisco's explanation;

Wireless Client Association

In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.


Figure 3-6 Client Association

A wireless client's association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.


http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Cheers!

Rob

Re: Concept of association and authentication?

As Rob points out ...

The Wireless Authentication (802.11) is different from say AAA authentication (802.1X). These are 2 different processes.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
eso
New Member

Re: Concept of association and authentication?

Thank you both, Rob and George.  I guess the main concept I missed was this "authentication" was not the "AAA authentication" yet

Eric

Re: Concept of association and authentication?

Eric,i think we all scratched our head at that one starting out in wifi ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Concept of association and authentication?

What would cause the "authentication" (if you even want to call it that) between the AP and the client to fail in an "Open Authentication" scenario? I also see this on my wireless network at work. We have a 5508 with 70 LW AP's using PEAP EAP authentication, and every now and again you see a client that is Associated but not Authenticated.

11246
Views
10
Helpful
7
Replies
CreatePlease to create content