- 6.1 Capture, understand, and analyze BSS discovery and joining frame exchanges
- 6.2 Analyze roaming behavior and resolve problems related to roaming
- 6.3 Analyze data frame exchanges
- 6.4 Analyze HT/VHT-specific transmission methods
- 6.5 Analyze behavior and resolve problems related to MAC layer operations
6.1
6.1.1 BSS discovery
- Beacon Frames and BSS announcement
- Passive scanning searches for beacons
- Active scanning uses probes to find SSIDs
- State Machine
- The process of joining a BSS is called the 802.11 state machine
- Sequence of frames
- Probe REQ
- Probe RES
- 802.11 Auth from station
- 802.11 auth from AP
- Assoc REQ
- Assoc RES
- Open system authentication is 802.11 auth
- OSA is not a security method it is simply an allow for a STA to join the system
- Probe REQ Frame
- Originates from a STA wanting to join
- Done in one of 2 mothods
- Preconfigured station will send a probe for those networks
- STA recieves the beacon frome and requests to join by sending a probe REQ with the indicated ssid listed in the frame
- Subtype of the management frame
- Broadcast frame originating from the STA
- The SA and TA are the STA transmitting
- DA and RA are set to broadcast address
- Probe RES Frame
- Contains information about the BSS that the STA must support
- Does not contain
- TIM
- QOS capability
- AP channel report
- FMS descriptor element
- HCCA TXOP update count
- Will contain an element if requested by probe REQ
6.1.2 802.11 Authentication and Association (Open system authentication)
- Authentication Frame
- Operates at the link level between stations
- Two authentication messages exchanged
- The STA generates the first of the two frames
- STA MAC is SA and TA
- BSSID is DA and RA
- AP will respond with its own unicast auth reversing the MACs
- Contains the auth results in second frame
- Association Frame
- After passing open authentication the association frame is set from the STA
- Management frame
- Transmitted at the highest min data rate supported
- The DA and RA are set to the BSSID
- Sends ACK and then response
- If successful receives AID
6.1.3 802.1X/EAP exchanges
- RSNA 802.1X involves
- Supplicant – usually client/STA
- Authenticator – AP/WLC
- Authentication server – ISE/RADIUS
- Capture location is important
- 2 capture points
- The first is between supplicant and authenticator
- The second is between authenticator and server
- The first is capture using wireless and the second using wired
- Begins with AP sending an EAP-REQ or when the supplicant sends and EAPOL-Start frame
- Supplicant recieves the request for an identity
- Identity is provided using EAP-Response
- Authenticator forwars the response to the auth server as a RADIUS access request
- 802.1x EAP messages are sent as dataframes
- Must be configured to use the same eap type
- EAP-MD5
- EAP-TLS
- EAP-TTLS
- EAP-PEAP
- EAP-GTC
- EAP-SIM
- PEAP
- EAP messages are exchanged to authenticate and generate a PMK
- After the EAP method is selected the server presents a certificate to the STA
- The cert is used to build a secure TLS tunnel
- Last EAP from is pass or fail
- If pass is sent the station and authenticator move onto the 4-way
6.1.4 Pre-shared key authentication
- Pairwise Master Key (PMK) is the PSK
- From the PMK a Pairwise Transient Key (PTK) is derived
- AP is the authenticator and the STA is the supplicant
- Next is the 4-way handshake using EAPOL-Key
- Upon completion the client is connected
6.1.5 Four-way handshake
- RSNA uses EAPOL-Key frames to form the 4-way handshake
- Used with PSK and 802.1X
- Used to secure communications
- During the PMK creates the PTK
- From the PTK the SNonce for supplicant and ANonce for the authenticator
- The authenticator holds a GMK which is used to derive the GTK
- GTK is used to encrypt Broadcast and multicast messages and is delivered in message 3/4
- Transfer of the GTK is called group key handshake
- Message 1
- AP sends EAPOL-Key fram to STA containing a ANonce for the PTK generation
- Contains the encryption type such as AES
- The STA uses the message to generate a SNonce and derive the PTK
- Message 2
- STA sends message containing SNonce, RSNE, and MIC
- The PTK is derived from the Snonce and Anonce
- AP will confirm the key replay counter corresponds to message 1 and then verify the MIC
- Message 3
- AP derives PTK
- The MIC is verified
- AP sends message 3 with an Anonce, RSNE from the beacon and probe response, MIC and GTK
- Message 4
- STA notifies the AP if the temporal keys were installed
- In PSK communications are protected following message 4
- In 802.1x the 4way handshake follows EAP authentication frames
6.1.6 Group key exchange
6.1.7 Pre-FT (802.11r) fast secure roaming mechanisms
- Preauthentication
- STA may authenticate with multiple APs
- Must be in the same ESS and advertise pre auth in their beacon frame
- RSN pre-auth capabilities set to 1 in the RSN IE
- PMKSA used
- PMKSA allows the EAP exchanges to be skipped but 4way still happens
- If PMKSA is expired full 802.1X must happen
- PMK Caching
- Used when a STA roams back to a previous AP
- The STA and the original AP maintain a PMKSA
- AP verifies the PMKSA is valid and begins the 4way
- With PMK caching the PMKID is cached on the AP
6.1.8 Fast BSS Transition (FT) roaming exchanges and fast secure roaming
- Must be part of the same mobility domain
- Over-the-air
- Message 1
- Originating station transmits and auth request to the TARGET AP
- Message 2
- The TARGET AP transmits an auth response to the STA
- Message 3
- The STA transmits a reassoc frame to the TARGET AP within the frame contains a FT element
- Message 4
- The TARGET AP transmits a reassoc response containing the status code and if successful the STA assoc is transitioned to the TARGET AP
- DA and RA are set to the target AP BSSID
- Message 1
- Over-the-DS
- Communicates with target AP through current AP
- Message 1
- STA sends FT request to current AP with target AP address set to target AP BSSID
- Message 2
- The target AP send FT response to the STA
- Message 3
- The STA sends a reassoc destined to the target AP
- Message 4
- The target AP responds with a reassoc response to the STA
6.1.9 Hotspot 2.0 protocols and operations from a client access perspective (ANQP and initial
access)
- 802.11u help STA on cell networks discover a Wi-Fi before joining
- Roaming partners
- Venue name
- Venue type
- EAP methods
- Free or paid
- Advertised through the interworking element
- Access network Query Protocol ANQP
- Query list
- Vendor specific info
- TDLS capability
6.1.10 Neighbor discovery
- 802.11k
6.2
6.2.1 Sticky clients
- Capture near client
- Gather information about the client
- Operating channel
- Band support
- Channel support
- PHY support
- Does it maintain connectivity at lowest rates
- Include support for k, and v
6.2.2 Excessive roaming
6.2.3 Channel aggregation for roaming analysis
6.3
6.3.1 Data frames and acknowledgement frames
- Data Frames
- Actions that drive users
- Type 10 subtype 0000
- QOS data frames
- Type 10 subtype 1000
- QoS control element will indicate the priority
- ACK and blockACK
- Setup device near Ap or client
6.3.2 RTS/CTS data frame exchanges
- Addresses hidden node
6.3.3 QoS data frame exchanges
6.3.4 Block Acknowledgement exchanges
6.4
6.4.1 MIMO
6.4.2 Transmit Beamforming (TxBF)
6.4.3 MU-MIMO
6.4.4 Frame aggregation (A-MSDU and A-MPDU)
6.5
6.5.1 Power Save operations
- Traditional
- Uses PS-Poll
- Defined intervals to wake up and check beacons for TIM
- Each beacon from includes the TIM and what clients have frames buffered
- Usual
- Uses 2 null frames to lower the amount of PS-Polls happening
- WMM PS
- Adds the ability to pull only buffered from a single AC
- Uses a trigger frame instead of PS-Poll
6.5.2 Protection mechanisms
- HT
- 4 modes
- Mode 0: All APs and STA are N and operate with the same capabilities
- Mode 1: all members are HT STA, but another BSS is running on the same channel. HT nonmember protection
- Mode 2: HT 20MHz protection mode, used when one station only supports 20
- Mode 3: HT mixed mode, used if any station is not capable of HT
- The HT information element includes the HT protection mode
6.5.3 Load balancing
6.5.4 Band Steering