Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
10
Helpful
5
Replies

Client Association before Authentication

MUQ_1899_
Level 1
Level 1

‎01-06-2017 12:45 AM - edited ‎07-05-2021 06:19 AM

Hello,

All the tech docs state that the client authentication process take place before the association. However on the controller I see clients which are associated but not authenticated. How is this possible?

Labels:
Preview file
2 KB
0 Helpful
5 Replies 5

Rasika Nayanajith
VIP
VIP

‎01-06-2017 12:21 PM

There are two types of authentication.  Open System Authentication & 802.1X based authentication.

So you will see two authentication frames (req/res) prior to association req/res frames. Refer below post for some details.

https://mrncciew.com/2014/08/19/cwsp-legacy-802-11-securiry/

Once this finished, then user authentication starts.

HTH

Rasika

*** Pls rate all useful responses ***

MUQ_1899_
Level 1
Level 1
In response to Rasika Nayanajith

‎01-07-2017 01:52 AM

So independent of the configured authentication PSK/802.1X user authentication always in first place we have open authentication then client association and then the final user authentication?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to MUQ_1899_

‎01-07-2017 07:50 AM

Just to add to Rasika's comments...  Open auth with webauth (layer 3 auth) for example, clients need to get an ip prior to hitting a portal page, then the auth will happen. So anything that is not open and uses a layer 2 encryption will need to get auth first then if passed will get an ip and be placed on the network. 

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***

MUQ_1899_
Level 1
Level 1
In response to Scott Fella

‎01-09-2017 10:52 AM

Scott, the screenshot that is attached in the first post is from an SSID configured with PSK. I see associated clients which are not authenticated. I bet that these are someones that have tried to connect but the not know the shared secret. How is it possible to  be associated than?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to MUQ_1899_

‎01-09-2017 11:09 AM

You first associate, means the device is trying to connect to that SSID, then you move to authenticated if you pass authentication.  You will see this also with Webauth where devices connect automatically but need user intervention to hit accessory or enter credentials.

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card