Open Authentication

Open authentication is a simple exchange of messages. The choreography is shown in Figure 5-2.

Figure 5-2. Open System Authentication

The initiating STA (usually a WLAN client, a laptop, or a PDA) sends message 1 out to an AP. The AP goes through its internal processing and sends a reply, which is either a success or a failure with a reason code. The status code is relevant only for the reply from the AP.


Open system authentication, in general, is a null authentication that can typically enable any client to authenticate to an AP. However, it is possible for the AP to impose policy decisions (for example, load constraint) to turn down particular clients from using open authentication.

Trust Model and Assumptions

Open authentication provides no security because of the "open" nature of this protocol. The default is to trust all STAs that ask to be connected. The only security aspect is that the STAs should know the Service Set Identifier (SSID) of the AP. The AP's policy could base its access on the client's MAC address, too (not that this is secure either), so open authentication equates to no secure authentication or null authentication.

Supporting AAA Infrastructure

The open authentication method does not rely on, require, or use any AAA mechanisms; therefore, no AAA infrastructure is required.

Applications, Vulnerabilities, and Countermeasures

The open authentication method has no security whatsoever. If an STA can find and communicate with an AP, it will be allowed access. The advantage is the simplicity and ease, precisely because no setup is required.

Open authentication is suitable for public WLANs, including the ones available in hotels, coffee shops, airport lounges, and conference halls. Usually, the users use IPSec/VPN solutions to connect to their corporate network; hence, the open authentication to an AP is perfectly appropriate as a connectivity mechanism.

If you use open authentication to connect to the Internet directly, you should also use a hardware or software firewall. In many installations, the APs that employ open authentication are located in the demilitarized zone (DMZ), so your computer is not fully secure against threats from the Internet. When you use a VPN solution, the VPNs usually filter out and disable local connections. So with a VPN connection, because all traffic is through the VPN, your computer is safe from the DMZ vulnerabilities.


With a VPN, the traffic is protected, but the accessing PC is not. If the hacker compromises the PC, he can then do as he will via the IPSec VPN.

Auditing and Accounting

Special auditing and accounting capabilities are not required or provided by the open authentication method.

As previously discussed, there would be a billing, accounting, and auditing infrastructure beyond the WLAN infrastructure for public WLANs. Often, a wireless service provider (WSP) offers this service. Usually after the association with an AP, there are accounting servers to gather user credentials such as username and password, e-commerce servers to provide billing and payment services (usually by credit card), and proxies to audit the time. (The billing is usually based on expired time, say $10 for 24 hours.) The interface for these services usually is a Web-based interface.


It is important to make the distinction between auditing and accounting requirements and motivations at the different protocol stacks.

In the case of hotspots, the accounting/billing is achieved through higher layers (because mobility might come into play and the accounting is to remain whole as the session is transferred from one access point to another).

However, at Layer 2, there may be required auditing and other accounting to improve network management.