Wireless Authentication Methods

This topic is to discuss the following lesson:

hi rene ,
just please i have a question about WEP you explained before that it can support two authentication methods 1-Open authentication 2-Shared key authentication , so how WEP can support authentication methods while itself has it’s own authentication method ?
Also what is the difference between pre-shared key and shared key ?

Hello Michael

I understand your confusion, and I believe it is an issue with terminology. WEP is actually defined as a security algorithm that is used in the IEEE 802.11 standard wireless networks. This algorithm has several configuration parameters, one of which is the type of supported authentication. This simply refers to how the WEP algorithm is applied to a wireless communication.

The first, which is Open authentication, doesn’t require credentials, so anyone can connect to an Open Authentication WEP access point, so any client within range can freely connect. However, the actual data being transmitted is encrypted.

The second, shared key authentication, does require credentials, and so not “just anybody” can connect to the access point. The actual data being transmitted is still encrypted.

As for the shared and pre-shared key, the difference is as follows:

WEP uses a shared key, which means that every client uses the same key. It is shared among multiple users. A pre-shared key is simply a key that has been shared before the time of the actual authentication. This is the general definition of these terms. Of course, this does not prevent you from “pre sharing” a shared key, but in the framework of WEP (shared) and WPA2 (pre-shared), this is the meaning.

I hope this has been helpful!

Laz

thanks lazaros i got it

Dear sir,

How to enable cert in my PC ? Unable to connect the WIFI network since authentication have failed.

Please help .

Thank you

Regards,
Mani

Hello Mani

After doing some research I have found that this error appears whenever a device attempts multiple failed authentications within a specified period of time. This makes the “Client suppression mechanism” of the ISE kick in. This prevents DoS attacks. You can disable this feature in Administration > System > Settings > Radius, Suppress Anomalous Clients. You can also change the settings such as how long a client should be blocked.

More info about this can be found at this Cisco community thread:

Now this is the reason for the blocking. But why did your device have multiple failed attempts? The reason outlined in the output above shows 12511 Unexpectedly received TLS alert message. This seems to be the case when you use a wildcard certificate when the CN contains * as a wildcard. You can find out more about this at the following Cisco community thread:


Cisco also has official documentation about this here:

Hopefully this information will help you in your troubleshooting process…

I hope this has been helpful!

Laz

Hi,

I am trying to find some reference that states EAP-FAST requires a radius server. Most resources that I have seen online state ‘authentication server’ and haven’t explicitly stated radius.

Hello Shashank

EAP-FAST can indeed be used with RADIUS and you can see how this can be achieved in the following Cisco documentation:

In it, it refers specifically to RADIUS as the authentication server. This is a typical setup, although other documentation that talks about an overview of EAP-FAST as a technology, does not refer specifically to RADIUS, but it states “authentication server” as you said, much like what you will find in the following document:

In section 2.1 of RFC 4851 which describes EAP-FAST, it speaks about the architectural model of the technology, and it references a RADIUS server as performing some of the authentication mechanisms in the event you use an external authenticator. Alternatively, you can use the AP itself as an authenticator.

So you see RADIUS is used, although it is not the only option to be used.

I hope this has been helpful!

Laz