cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7026
Views
20
Helpful
1
Replies

Wireless Client Association and Authentication ( Which one is first) ??

Beacon Bits
Level 1
Level 1

Hello,

 

I'm confused in understanding when Wireless client connects to AP what process it goes first; Authentication or Association?

And what occurs in these two processes? What I know is 4-way handshake does occur in Association Process and EAP process(radius) does occur in Authentication.

I read somewhere that Authentication occurs first and than Association. Please correct me if I'm wrong.

 

So there is a possibility that Wireless client could be authentiacated but stcuk in association process bcoz of 4-way handshake; please advise me on this if this correct?

 

Regards,

B

1 Reply 1

I think confusion is around initial two authentication frames. Even if in a open SSID, following frame exchange occurs

 

1. Open System Authentication (Request)
2. Open System Authentication (Response)
3. Association Request
4. Association Response
5. Client send DHCP Discovery
6. Client receive DHCP Offer
7. Client send DHCP Request

8. Client receive DHCP ACK 

 

Refer below for more details

https://mrncciew.com/2014/10/15/wlc-client-debug-part-1/

 

Then if you implement security (WPA2-PSK or WPA2-Enterprise or 802.1X) on your SSID, then additional frame exchange takes place prior to send data traffic.

 

In WPA2-PSK, traffic encryptions key derive from 4-way handshake process. So frame exchange would be something like below

https://mrncciew.com/2014/10/17/wlc-client-debug-part-2/

 

1. Open System Authentication (Request initiate by client)
2. Open system Authentication (Response by AP)
3. Association Request (sent by client)
4. Association Response (send by AP)
5. 4-Way Handshake – EAPoL Key Exchange Message 1
6. 4-Way Handshake – EAPoL Key Exchange Message 2
7. 4-Way Handshake – EAPoL Key Exchange Message 3
8. 4-Way Handshake – EAPoL Key Exchange Message 4
9. DHCP Discover (send by client to L2 broadcast)
10. DHCP Offer (send by DHCP server)
11. DHCP Reqeust (send by client to L2 broadcast)
12. DHCP ACK (send by DHCP server to client)

 

In WPA2-Enterprise (or 802.1X), after initial association frames, client need to authenticated against Authentication Server, if client fail in this step, then it is associated, but not authenticated. This is the authentication phase we normally refers (not that initial open auth frames) 

 

Depend on the EAP type, there will be number of frame exchange before client get "EAP Success" or "EAP Reject".  Below is a sample frame exchange in a EAP-PEAP process. Refer below post of more details

https://mrncciew.com/2014/08/24/cwsp-eap-basics/

EAP-Flow.png

 

 

HTH

Rasika

*** Pls rate all useful responses ***

Review Cisco Networking for a $25 gift card