Note The following has been developed with the home or small-office user in mind. Concepts discussed do not take into account large network environments with advanced network security by means of authentication servers and EAP methods.

Authentication

IEEE 802.11 Authentication is not to be confused with IEEE 802.1X link-layer network authentication of users. 802.11 Authentication and Association occur at the Access Point (AP) or broadband wireless router level prior to any upper layer authentication (802.1X), which takes advantage of special "back-end" servers to identify individual users based on various credential types.

802.11 Authentication: Requires that a station (mobile device) establish its identity before sending frames. This process occurs every time a station connects to a network but does not provide any measure of network security. 802.11 authentication is simply the first step in a handshake process for network attachment that is not mutual, meaning only the AP authenticates the station and not vice versa. One should also note there is no data encryption at this level.

An end station must authenticate before associating with an Access Point (AP), or broadband wireless router, and gaining access to the Wireless Local Area Network (WLAN). The IEEE* (Institute of Electrical and Electronics Engineers, Inc.) 802.11 standard defines two link-level types of authentication: Open System and Shared Key.

Open System Authentication
Open system authentication simply consists of two communications. The first is an authentication request by the client that contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client's MAC address is explicitly excluded in the AP/router configuration.

Shared Key Authentication
Shared key authentication relies on the fact that both stations taking part in the authentication process have the same "shared" key or passphrase. The shared key is manually set on both the client station and the AP/router. Three types of shared key authentication are available today for home or small office WLAN environments.

Wired Equivalent Privacy (WEP)*
WEP is not recommended for a secure WLAN due to its inherent weaknesses. One of the main security risks is a hacker can capture the encrypted form of an authentication response frame, using widely available software applications, and use the information to crack WEP encryption. The process consists of an authentication request from the client, clear challenge text from the AP/router, encrypted challenge text from the client and an authentication response from the AP/router. Two levels for WEP keys/passphrases:

1. 64-bit: 40 bits dedicated to encryption and 24 bits allocated to Initialization Vector (IV). It may also be referred to as 40-bit WEP.
2. 128-bit: 104 bits dedicated to encryption and 24 bits allocated to Initialization Vector (IV). It may also be referred to as 104-bit WEP.

1. After the mobile station authenticates to an AP/router, it sends an Association Request.
2. The AP/router processes the Association Request. AP/router vendors may have different implementations for deciding whether or not a client request should be allowed. AP/router grants association and responds with a status code of 0 (successful) and the Association ID (AID). The latter is used to identify the station for delivery of buffered frames when power-saving is enabled. Failed Association Requests include only a status code and the procedure ends.
3. AP/router forwards frames to/from the mobile station.

This applies to:

Intel® PRO/Wireless 2100 Network Connection Intel® PRO/Wireless 2200BG Network Connection Intel® PRO/Wireless 2915ABG Network Connection Intel® PRO/Wireless 3945ABG Network Connection Intel® WiFi Link 5100 Intel® WiFi Link 5300 Intel® WiMAX/WiFi Link 5350 Intel® Wireless WiFi Link 4965AGN