user manual
8-6
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter 8 Security Setup
Security Overview
Figure 8-4 Sequence for Open Authentication
•
Shared key—Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
However, because of shared key’s security flaws, we recommend that you avoid using it.
During shared key authentication, the access point sends an unencrypted challenge text string to any
device attempting to communicate with the access point. The device requesting authentication
encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted
correctly, the access point allows the requesting device to authenticate. Both the unencrypted
challenge and the encrypted challenge can be monitored, however, which leaves the access point
open to attack from an intruder who calculates the WEP key by comparing the unencrypted and
encrypted text strings. Because of this weakness, shared key authentication can be less secure than
open authentication. Like open authentication, shared key authentication does not rely on a RADIUS
server on your network.
Figure 8-5 shows the authentication sequence between a device trying to authenticate and an access
point using shared key authentication. In this example the device’s WEP key matches the access
point’s key, so it can authenticate and communicate.
Figure 8-5 Sequence for Shared Key Authentication
Combining MAC-Based, EAP, and Open Authentication
You can set up the access point to authenticate client devices using a combination of MAC-based and
EAP authentication. When you enable this feature, client devices that associate to the access point using
802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client
device joins the network. If MAC authentication fails, the access point waits for the client device to
attempt EAP authentication. See the “Authenticating Client Devices Using MAC Addresses or EAP”
section on page 8-25 for more information on this feature.
Access point
or bridge
with WEP key = 123
Client device
with WEP key = 321
1. Authentication request
2. Authentication response
54583
Access point
or bridge
with WEP key = 123
Client device
with WEP key = 123
1. Authentication request
2. Unencrypted challenge
3. Encrypted challenge response
4. Authentication response
54584