Cisco Systems OL-6415-04 manual Shared Key Authentication to Access Point, Traffic from client

Chapter 6 Configuring Authentication Types

Understand Authentication Types

Figure 6-1 Sequence for Open Authentication

3.Association request

4.Association response

5.WEP data frame to wired network

6.Key mismatch, frame discarded

54583

Shared Key Authentication to Access Point

Cisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, Cisco recommends that you avoid using it.

During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network.

Figure 6-2shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication. In this example the device’s WEP key matches the access point’s key, so it can authenticate and communicate.

Figure 6-2 Sequence for Shared Key Authentication

1.Authentication request

2.Authentication success

3. Association request

Cisco Wireless ISR and HWIC Access Point Configuration Guide