CWAP – 802.11 Frame Exchanges

6.1

6.1.1 BSS discovery

  • Beacon Frames and BSS announcement
    • Passive scanning searches for beacons
    • Active scanning uses probes to find SSIDs
  • State Machine
    • The process of joining a BSS is called the 802.11 state machine
    • Sequence of frames
      • Probe REQ
      • Probe RES
      • 802.11 Auth from station
      • 802.11 auth from AP
      • Assoc REQ
      • Assoc RES
    • Open system authentication is 802.11 auth
    • OSA is not a security method it is simply an allow for a STA to join the system
  • Probe REQ Frame
    • Originates from a STA wanting to join
    • Done in one of 2 mothods
      • Preconfigured station will send a probe for those networks
      • STA recieves the beacon frome and requests to join by sending a probe REQ with the indicated ssid listed in the frame
    • Subtype of the management frame
    • Broadcast frame originating from the STA
    • The SA and TA are the STA transmitting
    • DA and RA are set to broadcast address
  • Probe RES Frame
    • Contains information about the BSS that the STA must support
    • Does not contain
      • TIM
      • QOS capability
      • AP channel report
      • FMS descriptor element
      • HCCA TXOP update count
    • Will contain an element if requested by probe REQ

6.1.2 802.11 Authentication and Association (Open system authentication)

  • Authentication Frame
    • Operates at the link level between stations
    • Two authentication messages exchanged
    • The STA generates the first of the two frames
      • STA MAC is SA and TA
      • BSSID is DA and RA
    • AP will respond with its own unicast auth reversing the MACs
    • Contains the auth results in second frame
  • Association Frame
    • After passing open authentication the association frame is set from the STA
    • Management frame
    • Transmitted at the highest min data rate supported
    • The DA and RA are set to the BSSID
    • Sends ACK and then response
    • If successful receives AID

6.1.3 802.1X/EAP exchanges

  • RSNA 802.1X involves
    • Supplicant – usually client/STA
    • Authenticator – AP/WLC
    • Authentication server – ISE/RADIUS
  • Capture location is important
  • 2 capture points
    • The first is between supplicant and authenticator
    • The second is between authenticator and server
  • The first is capture using wireless and the second using wired
  • Begins with AP sending an EAP-REQ or when the supplicant sends and EAPOL-Start frame
  • Supplicant recieves the request for an identity
  • Identity is provided using EAP-Response
  • Authenticator forwars the response to the auth server as a RADIUS access request
  • 802.1x EAP messages are sent as dataframes
  • Must be configured to use the same eap type
    • EAP-MD5
    • EAP-TLS
    • EAP-TTLS
    • EAP-PEAP
    • EAP-GTC
    • EAP-SIM
    • PEAP
  • EAP messages are exchanged to authenticate and generate a PMK
  • After the EAP method is selected the server presents a certificate to the STA
  • The cert is used to build a secure TLS tunnel
  • Last EAP from is pass or fail
  • If pass is sent the station and authenticator move onto the 4-way

6.1.4 Pre-shared key authentication

  • Pairwise Master Key (PMK) is the PSK
  • From the PMK a Pairwise Transient Key (PTK) is derived
  • AP is the authenticator and the STA is the supplicant
  • Next is the 4-way handshake using EAPOL-Key
  • Upon completion the client is connected

6.1.5 Four-way handshake

  • RSNA uses EAPOL-Key frames to form the 4-way handshake
  • Used with PSK and 802.1X
  • Used to secure communications
  • During the PMK creates the PTK
  • From the PTK the SNonce for supplicant and ANonce for the authenticator
  • The authenticator holds a GMK which is used to derive the GTK
  • GTK is used to encrypt Broadcast and multicast messages and is delivered in message 3/4
  • Transfer of the GTK is called group key handshake
  • Message 1
    • AP sends EAPOL-Key fram to STA containing a ANonce for the PTK generation
    • Contains the encryption type such as AES
    • The STA uses the message to generate a SNonce and derive the PTK
  • Message 2
    • STA sends message containing SNonce, RSNE, and MIC
    • The PTK is derived from the Snonce and Anonce
    • AP will confirm the key replay counter corresponds to message 1 and then verify the MIC
  • Message 3
    • AP derives PTK
    • The MIC is verified
    • AP sends message 3 with an Anonce, RSNE from the beacon and probe response, MIC and GTK
  • Message 4
    • STA notifies the AP if the temporal keys were installed
  • In PSK communications are protected following message 4
  • In 802.1x the 4way handshake follows EAP authentication frames

6.1.6 Group key exchange

6.1.7 Pre-FT (802.11r) fast secure roaming mechanisms

  • Preauthentication
    • STA may authenticate with multiple APs
    • Must be in the same ESS and advertise pre auth in their beacon frame
    • RSN pre-auth capabilities set to 1 in the RSN IE
    • PMKSA used
    • PMKSA allows the EAP exchanges to be skipped but 4way still happens
    • If PMKSA is expired full 802.1X must happen
  • PMK Caching
    • Used when a STA roams back to a previous AP
    • The STA and the original AP maintain a PMKSA
    • AP verifies the PMKSA is valid and begins the 4way
    • With PMK caching the PMKID is cached on the AP

6.1.8 Fast BSS Transition (FT) roaming exchanges and fast secure roaming

  • Must be part of the same mobility domain
  • Over-the-air
    • Message 1
      • Originating station transmits and auth request to the TARGET AP
    • Message 2
      • The TARGET AP transmits an auth response to the STA
    • Message 3
      • The STA transmits a reassoc frame to the TARGET AP within the frame contains a FT element
    • Message 4
      • The TARGET AP transmits a reassoc response containing the status code and if successful the STA assoc is transitioned to the TARGET AP
    • DA and RA are set to the target AP BSSID
  • Over-the-DS
    • Communicates with target AP through current AP
    • Message 1
      • STA sends FT request to current AP with target AP address set to target AP BSSID
    • Message 2
      • The target AP send FT response to the STA
    • Message 3
      • The STA sends a reassoc destined to the target AP
    • Message 4
      • The target AP responds with a reassoc response to the STA

6.1.9 Hotspot 2.0 protocols and operations from a client access perspective (ANQP and initial

access)

  • 802.11u help STA on cell networks discover a Wi-Fi before joining
    • Roaming partners
    • Venue name
    • Venue type
    • EAP methods
    • Free or paid
  • Advertised through the interworking element
  • Access network Query Protocol ANQP
    • Query list
    • Vendor specific info
    • TDLS capability

6.1.10 Neighbor discovery

  • 802.11k

6.2

6.2.1 Sticky clients

  • Capture near client
  • Gather information about the client
    • Operating channel
    • Band support
    • Channel support
    • PHY support
  • Does it maintain connectivity at lowest rates
  • Include support for k, and v

6.2.2 Excessive roaming

6.2.3 Channel aggregation for roaming analysis

6.3

6.3.1 Data frames and acknowledgement frames

  • Data Frames
    • Actions that drive users
    • Type 10 subtype 0000
  • QOS data frames
    • Type 10 subtype 1000
    • QoS control element will indicate the priority
  • ACK and blockACK
    • Setup device near Ap or client

6.3.2 RTS/CTS data frame exchanges

  • Addresses hidden node

6.3.3 QoS data frame exchanges

6.3.4 Block Acknowledgement exchanges

6.4

6.4.1 MIMO

6.4.2 Transmit Beamforming (TxBF)

6.4.3 MU-MIMO

6.4.4 Frame aggregation (A-MSDU and A-MPDU)

6.5

6.5.1 Power Save operations

  • Traditional
    • Uses PS-Poll
    • Defined intervals to wake up and check beacons for TIM
    • Each beacon from includes the TIM and what clients have frames buffered
  • Usual
    • Uses 2 null frames to lower the amount of PS-Polls happening
  • WMM PS
    • Adds the ability to pull only buffered from a single AC
    • Uses a trigger frame instead of PS-Poll

6.5.2 Protection mechanisms

  • HT
    • 4 modes
    • Mode 0: All APs and STA are N and operate with the same capabilities
    • Mode 1: all members are HT STA, but another BSS is running on the same channel. HT nonmember protection
    • Mode 2: HT 20MHz protection mode, used when one station only supports 20
    • Mode 3: HT mixed mode, used if any station is not capable of HT
  • The HT information element includes the HT protection mode

6.5.3 Load balancing

6.5.4 Band Steering

Related Posts