CWNA Summary Notes: Legacy 802.11 Security | Legacy Authentication

Legacy Authentication

Legacy authentication methods were more of an authentication of capability (verification between two devices that they were valid 802.11 devices) and not so much an authentication of user identity.

They are of two types:

Open System Authentication

It provides authentication without performing any form of user verification

Involved a 2 way exchange between the client and the AP

  • Client sent an Authentication Request
  • AP replied with an Authentication response

Every client got authenticated and authorized into the network after association

This included an option to use static WEP for data frame encryption after association.

Lab – Open System Authentication without WEP

The aim of this lab is to study the packet exchange that occurs between an access point and a client when using Legacy Open System Authentication method.

In this Lab, I set my ASUS router (AsustekC) and my desktop (IntelCor) to allow for open system authentication and used Wireshark to capture communication between them.

Screenshot from 2015-06-21 01:45:37 Screenshot from 2015-06-21 01:47:39

Below is the whole conversation captured in Wireshark.


We should see 4 frames exchanges between the AP and the Client.

Authentication Request frame

Authentication request is sent by the station (laptop) to  (Asus Router). The request subtype is 1011 which indicates an Authentication frame. The Sequence number 1 indicates that it is a Request.


Authentication Response frame

The router replies with an Authentication Response. The request subtype is 1011 which indicates an Authentication frame. The Sequence number 2 indicates that it is a Response.


Association Request frame

Association request is sent by a station (IntelCor) to associate to a BSS (CaptainSugar). The request subtype is 0000 which indicates an Association Request frame.


The client also sends it’s capabilities to the router. It is associating to a BSS named CaptainSugar. The client supports rates from 1,2 up to 54 Mbps.


The Client also sends it’s capabilities for 802.11n and other Vendor specific information


Association Response frame

In response to an Association Request, the Router sends an association Response Frame. The response subtype is 0001 which indicates an Association Response frame. We can see that the Client has successfully associated.


The AP also sends it’s capabilities and Vendor specific parameters.


At this point, the AP can now freely use the network.

Shared Key Authentication

It used WEP to authenticate clients. The static key had to be configured on both the AP and client stations.

Involved a 4 way exchange between the client and the AP

  • Client sent an Authentication Request
  • AP replied with an clear text challenge in the Authentication Response
  • Client sent an Authentication Request containing an encrypted clear text challenge back to the AP using the static shared key
  • AP decrypted the message and compared it with the challenge that it had sent. It sends an authentication frame containing a success/failure message. 

If the keys did not match, authentication would not work.

The same static key would be used to encrypt the data after successful authentication.

This method is not recommended at all as it can be compromised by capturing the WEP key.


  1. CWNA-106 Certified Wireless Network Administrator Study Guide by David D. Coleman and David A. Westcott.
  2. 802.11 frames : A starter guide to learn wireless sniffer traces

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s