Chapter 4 Security Setup
Security Overview
4-8
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-03
During shared key authentication, the access point sends an unencrypted
challenge text string to any device attempting to communicate with the access
point. The device requesting authentication encrypts the challenge text and
sends it back to the access point. If the challenge text is encrypted correctly,
the access point allows the requesting device to authenticate. Both the
unencrypted challenge and the encrypted challenge can be monitored,
however, which leaves the access point open to attack from an intruder who
calculates the WEP key by comparing the unencrypted and encrypted text
strings. Because of this weakness, shared key authentication can be less
secure than open authentication. Like open authentication, shared key
authentication does not rely on a RADIUS server on your network.
Figure 4-5
shows the authentication sequence between a device trying to
authenticate and an access point using shared key authentication. In this
example the device’s WEP key matches the access point’s key, so it can
authenticate and communicate.
Figure 4-5
Sequence for Shared Key Authentication
Combining MAC-Based, EAP, and Open Authentication
You can set up the access point to authenticate client devices using a combination
of MAC-based and EAP authentication. When you enable this feature, client
devices that associate to the access point using 802.11 open authentication first
attempt MAC authentication; if MAC authentication succeeds, the client device
joins the network. If MAC authentication fails, the access point waits for the client
device to attempt EAP authentication. See the
“Authenticating Client Devices
Using MAC Addresses or EAP” section on page 4-34
for more information on this
feature.
Access point
or bridge
with WEP key = 123
Client device
with WEP key = 123
1. Authentication request
2. Unencrypted challenge
3. Encrypted challenge response
4. Authentication response
54584