Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
15
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
Figure 7
Open Authentication
Shared Key Authentication to the WMIC
Cisco provides shared key authentication to comply with the IEEE 802.11b and IEEE 802.11g standards.
However, because of shared key's security flaws, we recommend that you use another method of
authentication, such as EAP, in environments where security is an issue. During shared key
authentication, the root device sends an unencrypted challenge text string to the client device that is
attempting to communicate with the root device. The client device requesting authentication encrypts
the challenge text and sends it back to the root device
However, because of shared key's security flaws, we recommend that you use another method of
authentication, such as EAP, in environments where security is an issue. During shared key
authentication, the root device sends an unencrypted challenge text string to the client device that is
attempting to communicate with the root device. The client device requesting authentication encrypts
the challenge text and sends it back to the root device
Both the unencrypted challenge and the encrypted challenge can be monitored, which leaves the root
device open to attack from an intruder who calculates the WEP key by comparing the unencrypted and
encrypted text strings.
device open to attack from an intruder who calculates the WEP key by comparing the unencrypted and
encrypted text strings.
shows the authentication sequence between a device trying to
authenticate and a bridge using shared key authentication. In this example the device's WEP key matches
the bridge's key, so it can authenticate and communicate.
the bridge's key, so it can authenticate and communicate.
Figure 8
Sequence for Shared Key Authentication
EAP Authentication to the Network
This authentication type provides the highest level of security for your wireless network. By using the
Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the root
device helps the authenticating device and the RADIUS server perform mutual authentication and derive
a dynamic session key, which is used by both the root and authenticating devices to further derive the
unicast key. The root generates the broadcast key and sends it to the authenticating device after
Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the root
device helps the authenticating device and the RADIUS server perform mutual authentication and derive
a dynamic session key, which is used by both the root and authenticating devices to further derive the
unicast key. The root generates the broadcast key and sends it to the authenticating device after
191187
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 321
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
1. Authentication request
1. Authentication response
191188
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
1. Authentication request
4. Authentication response
2. Unencrypted challenge
3. Encrypted challenge response