Cisco Cisco Aironet 1522 Lightweight Outdoor Mesh Access Point

Page of 36
15
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
  Security
Figure 7
Open Authentication
Shared Key Authentication to the WMIC
Cisco provides shared key authentication to comply with the IEEE 802.11b and IEEE 802.11g standards. 
However, because of shared key's security flaws, we recommend that you use another method of 
authentication, such as EAP, in environments where security is an issue. During shared key 
authentication, the root device sends an unencrypted challenge text string to the client device that is 
attempting to communicate with the root device. The client device requesting authentication encrypts 
the challenge text and sends it back to the root device
Both the unencrypted challenge and the encrypted challenge can be monitored, which leaves the root 
device open to attack from an intruder who calculates the WEP key by comparing the unencrypted and 
encrypted text strings. 
 shows the authentication sequence between a device trying to 
authenticate and a bridge using shared key authentication. In this example the device's WEP key matches 
the bridge's key, so it can authenticate and communicate.
Figure 8
Sequence for Shared Key Authentication
EAP Authentication to the Network
This authentication type provides the highest level of security for your wireless network. By using the 
Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the root 
device helps the authenticating device and the RADIUS server perform mutual authentication and derive 
a dynamic session key, which is used by both the root and authenticating devices to further derive the 
unicast key. The root generates the broadcast key and sends it to the authenticating device after 
191187
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 321
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
1. Authentication request
1. Authentication response
191188
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
1. Authentication request
4. Authentication response
2. Unencrypted challenge
3. Encrypted challenge response