05-24-2018 01:41 AM - edited 07-05-2021 08:39 AM
Hello,
I'm confused in understanding when Wireless client connects to AP what process it goes first; Authentication or Association?
And what occurs in these two processes? What I know is 4-way handshake does occur in Association Process and EAP process(radius) does occur in Authentication.
I read somewhere that Authentication occurs first and than Association. Please correct me if I'm wrong.
So there is a possibility that Wireless client could be authentiacated but stcuk in association process bcoz of 4-way handshake; please advise me on this if this correct?
Regards,
B
05-24-2018 02:17 AM
I think confusion is around initial two authentication frames. Even if in a open SSID, following frame exchange occurs
1. Open System Authentication (Request)
2. Open System Authentication (Response)
3. Association Request
4. Association Response
5. Client send DHCP Discovery
6. Client receive DHCP Offer
7. Client send DHCP Request
8. Client receive DHCP ACK
Refer below for more details
https://mrncciew.com/2014/10/15/wlc-client-debug-part-1/
Then if you implement security (WPA2-PSK or WPA2-Enterprise or 802.1X) on your SSID, then additional frame exchange takes place prior to send data traffic.
In WPA2-PSK, traffic encryptions key derive from 4-way handshake process. So frame exchange would be something like below
https://mrncciew.com/2014/10/17/wlc-client-debug-part-2/
1. Open System Authentication (Request initiate by client)
2. Open system Authentication (Response by AP)
3. Association Request (sent by client)
4. Association Response (send by AP)
5. 4-Way Handshake – EAPoL Key Exchange Message 1
6. 4-Way Handshake – EAPoL Key Exchange Message 2
7. 4-Way Handshake – EAPoL Key Exchange Message 3
8. 4-Way Handshake – EAPoL Key Exchange Message 4
9. DHCP Discover (send by client to L2 broadcast)
10. DHCP Offer (send by DHCP server)
11. DHCP Reqeust (send by client to L2 broadcast)
12. DHCP ACK (send by DHCP server to client)
In WPA2-Enterprise (or 802.1X), after initial association frames, client need to authenticated against Authentication Server, if client fail in this step, then it is associated, but not authenticated. This is the authentication phase we normally refers (not that initial open auth frames)
Depend on the EAP type, there will be number of frame exchange before client get "EAP Success" or "EAP Reject". Below is a sample frame exchange in a EAP-PEAP process. Refer below post of more details
https://mrncciew.com/2014/08/24/cwsp-eap-basics/
HTH
Rasika
*** Pls rate all useful responses ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide