Understanding IEEE* 802.11 Authentication and Association
|Note||The following information is intended for the home or small-office user. Concepts discussed do not consider large network environments with advanced network security.|
802.11 authentication is the first step in network attachment. 802.11 authentication requires a mobile device (station) to establish its identity with an Access Point (AP) or broadband wireless router. No data encryption or security is available at this stage.
The Institute of Electrical and Electronics Engineers, Inc.(IEEE) 802.11 standard defines two link-level types of authentication:
- Open System
- Shared Key
Open system authentication
Open system authentication consists of two communications:
- First, an authentication request is sent from the mobile device that contains the station ID (typically the MAC address).
- Next, an authentication response from the AP/router with a success or failure message.
Shared key authentication
With shared key authentication, a shared key, or passphrase, is manually set on both the mobile device and the AP/router. Several types of shared key authentication are available today for home or small office WLAN environments:
Wired Equivalent Privacy (WEP)
WEP is not recommended for a secure WLAN. The main security risk is hackers capturing the encrypted form of an authentication response frame, using widely available software applications, and using the information to crack WEP encryption.
Wi-Fi Protected Access (WPA)
WPA complies with the wireless security standard and strongly increases the level of data protection and access control (authentication) for a wireless network. WPA enforces IEEE 802.1X authentication and key-exchange and only works with dynamic encryption keys. Users may see different naming conventions for WPA in a home or small-office environment. Examples are WPA-Personal, WPA-PSK, WPA-Home. A common pre-shared key (PSK) must be manually configured on both the client and AP/router.
Wi-Fi Protected Access 2 (WPA2)
WPA2 is a security enhancement to WPA. Users must ensure the mobile device and AP/router are configured using the same WPA version and pre-shared key (PSK).
Once authentication is complete, mobile devices can associate (register) with an AP/router to gain full access to the network. Association allows the AP/router to record each mobile device so that frames are properly delivered. Association only occurs on wireless infrastructure networks, not in peer-peer mode. A station can only associate with one AP/router at a time.
- Mobile device authenticates to an AP/router and then sends an Association Request.
- AP/router processes the Association Request. AP/router vendors may have different implementations for deciding if a client request should be allowed.
- When an AP/router grants association, it responds with a status code of 0 (successful) and the Association ID (AID). The AID is used to identify the station for delivery of buffered frames when power-saving is enabled.
- Failed Association Requests include only a status code and the procedure ends.
- AP/router forwards frames to or from the mobile device.