Chapter 6 Configuring Authentication Types

Understand Authentication Types

Understand Authentication Types

This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See Chapter 3, “Configuring Multiple SSIDs,” for complete instructions on configuring multiple SSIDs.

Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC-address or EAP authentication, authentication types that rely on an authentication server on your network.

Note By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-typelogin-onlyglobal configuration command to set the service-type attribute in reauthentication requests to login-only.

The access point uses several authentication mechanisms or types and can use more than one at the same time. These sections explain each authentication type:

Open Authentication to Access Point, page 6-2

Shared Key Authentication to Access Point, page 6-3

EAP Authentication to Network, page 6-4

MAC Address Authentication to the Network, page 6-5

Combining MAC-Based, EAP, and Open Authentication, page 6-6

Using WPA Key Management, page 6-6

Using WPA Key Management, page 6-6

Open Authentication to Access Point

Open authentication allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if its WEP keys match the access point’s. Devices not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network.

Figure 6-1shows the authentication sequence between a device trying to authenticate and an access point using open authentication. In this example, the device’s WEP key does not match the access point’s key, so it can authenticate but not pass data.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

6-2

OL-6415-04

 

 

Page 90
Image 90
Cisco Systems OL-6415-04 manual Understand Authentication Types, Open Authentication to Access Point