https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963311#M139954 <P>There are two types of authentication. &nbsp;Open System Authentication &amp; 802.1X based authentication.</P> <P>So you will see two authentication frames (<G class="gr_ gr_76 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="76" data-gr-id="76">req</G>/res) prior to association <G class="gr_ gr_105 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="105" data-gr-id="105">req</G>/res frames. Refer below post for some details.</P> <P><A href="https://mrncciew.com/2014/08/19/cwsp-legacy-802-11-securiry/">https://mrncciew.com/2014/08/19/cwsp-legacy-802-11-securiry/</A></P> <P>Once this finished, then user authentication starts.</P> <P>HTH</P> <P>Rasika</P> <P>*** Pls rate all useful responses ***</P> <P></P> <P></P> Fri, 06 Jan 2017 20:21:36 GMT Rasika Nayanajith 2017-01-06T20:21:36Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963310#M139953 <P>Hello,</P> <P></P> <P><SPAN style="font-family: 'Arial',sans-serif; color: #58585b; background: white;">All the tech docs state that the client authentication process take place before the association. However on the controller I see clients which are associated but not authenticated. How is this possible?</SPAN></P> <P><SPAN style="font-family: 'Arial',sans-serif; color: #58585b; background: white;"></SPAN></P> <P><SPAN style="font-family: 'Arial',sans-serif; color: #58585b; background: white;"></SPAN></P> Mon, 05 Jul 2021 13:19:18 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963310#M139953 MUQ_1899_ 2021-07-05T13:19:18Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963311#M139954 <P>There are two types of authentication. &nbsp;Open System Authentication &amp; 802.1X based authentication.</P> <P>So you will see two authentication frames (<G class="gr_ gr_76 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="76" data-gr-id="76">req</G>/res) prior to association <G class="gr_ gr_105 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="105" data-gr-id="105">req</G>/res frames. Refer below post for some details.</P> <P><A href="https://mrncciew.com/2014/08/19/cwsp-legacy-802-11-securiry/">https://mrncciew.com/2014/08/19/cwsp-legacy-802-11-securiry/</A></P> <P>Once this finished, then user authentication starts.</P> <P>HTH</P> <P>Rasika</P> <P>*** Pls rate all useful responses ***</P> <P></P> <P></P> Fri, 06 Jan 2017 20:21:36 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963311#M139954 Rasika Nayanajith 2017-01-06T20:21:36Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963312#M139955 <P>So independent of the configured authentication PSK/802.1X user authentication always in first place we have open authentication then client association and then the final user authentication?</P> Sat, 07 Jan 2017 09:52:40 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963312#M139955 MUQ_1899_ 2017-01-07T09:52:40Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963313#M139956 <P>Just to add to Rasika's comments... &nbsp;Open auth with webauth (layer 3 auth) for example, clients need to get an ip prior to hitting a portal page, then the auth will happen. So anything that is not open and uses a layer 2 encryption will need to get auth first then if passed will get an ip and be placed on the network.&nbsp;</P> <P>-Scott&nbsp;</P> <P>*** Please rate helpful posts ***&nbsp;</P> Sat, 07 Jan 2017 15:50:39 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963313#M139956 Scott Fella 2017-01-07T15:50:39Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963314#M139957 <P>Scott, the screenshot that is attached in the first post is from an SSID configured with PSK. I see associated clients which are not authenticated. I bet that these are someones that have tried to connect but the not know the shared secret. How is it possible to &nbsp;be associated than?</P> Mon, 09 Jan 2017 18:52:26 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963314#M139957 MUQ_1899_ 2017-01-09T18:52:26Z https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963315#M139958 <P>You first associate, means the device is trying to connect to that SSID, then you move to authenticated if you pass authentication. &nbsp;You will see this also with Webauth where devices connect automatically but need user intervention to hit accessory or enter credentials.</P> <P>-Scott&nbsp;</P> <P>*** Please rate helpful posts ***&nbsp;</P> Mon, 09 Jan 2017 19:09:58 GMT https://community.cisco.com/t5/wireless/client-association-before-authentication/m-p/2963315#M139958 Scott Fella 2017-01-09T19:09:58Z