BSS Association, Transition & Security Exchanges #CWAP #Notes
This blog post features the chapter 5 from CWAP-403 book. I have tried to summarize it as I’ve read through the book. Hope this helps you in the journey to become CWAP-403 certified. I am still waiting to give my 2nd attempt hopefully be able to give once the COVID19 lock down is relaxed. I am aiming to revise the 802.11 Frame Exchanges & MAC Sublayer and Functions section which comprise of 50% of the exam syllabus.
Fundamental basic of WLAN connectivity begin with finding and associating to a basic service set(BSS). Wi-Fi devices are always scanning and looking for available networks irrespective of the networks availability.
Beacon Frames and BSS Announcement
- Client STAs either scan actively/passively for available networks by probing for Wi-Fi networks they know about.
- Beacon frame is transmitted by AP to communicate information. This is done every 1024ms also known as target beacon transmission time (TBTT) or beacon interval.
- Each SSID will have a Beacon frame transmitted, too many SSIDs configured can result in consuming more airtime.
- Hidden SSID, broadcast their own Beacon frames. The frame capture will show SSID field blank or as wildcard SSID.
- The SSID name is visible in the Probe Request frame by the preconfigured station set to use the hidden SSID.
802.11 State Machine
The Process of joining AP to a BSS is called 802.11 State Machine. The sequence of frame is :
STA <——> AP
–> Probe Request to AP
<– Probe Response to STA
–> Open System Authentication Request to AP
<– Open System Authentication Response to STA
–> Association Request to AP
<– Association Response to STA
Any further security such as 802.1X or PSK is performed after the 802.11 State Machine.
Probe Request Frame
- Originates from the Client STA wanting to join the BSS. This is a broadcast frame.
- STA preconfigured with previously connected SSID will actively probe for the network it has saved, otherwise for new networks it receives the Beacon frames from AP and requests to join the BSS.
- The source address (SA) and transmitter address (TA) are set to client STA transmitting the probe request.
- The destination address(DA) and receiver address (RA) are set to broadcast address.
- The elements in probe request frame help us identify the type of station e.g. HT or VHT client capabilities.
Probe Response Frame
- Upon receiving a probe request initiated by a client STA, an AP will contend for the medium and send a Probe Response frame containing information about the BSS a station must be able to support. This is a unicast frame.
- Most of the frame contents are similar to beacon frame except for the exclusions of TIM (Traffic Indication map) field, QoS capability element, AP Channel Report element, FMS Descriptor element and the HCCA TXOP Update Count element.
- Can be confused with the type of user authentication. The Authentication frame is part of the Open System authentication method which operates at the link level between the stations.
- The Client STA generates Authentication Request and receiving AP will respond with Authentication Response frame.
- The 802.11 Authentication merely establishes an initial connection between the client and the access point, basically validating or authenticating that the STA is a valid 802.11 device.
- Upon successfully passing the authentication, the client STA moves on by sending unicast Association Request frame to the destined AP.
- This frame is transmitted at the highest minimum data rate supported.
- The DA/RA are set to BSSID and SA and TA are set to MAC address of the client STA.
- The receiving AP responds with an Acknowledgement frame. Then it transmits and Association Response frame with a status code for the station. If successful, the STA receives the Association ID for the BSS.
- The Association Response frame is quite similar to the Association Request frame except it will contain Status Code field and Association ID(AID) assigned by the AP to a STA.
The Authentication/Association frames occur before any security frames are exchanged. The 802.11 standard defines the security under a RSN (Robust Security Network).
PSK (Pre-shared Key Authentication).
- The Client STA gathers the type of security policy from the Probe Request frame. PSK is the most common methods used for home networks.
- Once the STA discovers the AP’s security policy it will negotiate a security policy. In PSK the Pairwise Master Key (PMK) is the PSK. From the PMK, a Pairwise Transient Key is derived. In this scenario, the AP will hold an authenticator role and the station will be Supplicant.
- Next, a 4-way handshake is initiated with EAPOL key frames being used. Upon successfully completing the handshake the STA will join the BSS using the PSK.
4 Way Handshake
The RSNA process uses EAPOL (Extensible Authentication Protocol over LAN) to form 4 way handshake. It is used with both PSK and 802.1X authentication. For 802.1X authentication, the 4 way handshake occurs after EAP authentication. The EAP can be implemented in form of a certificate based authentication or challenge-based or via other methods.
The 4-Way Handshake uses PRF (Pseudo Random Functions), it hashes various inputs to derive a value. The supplicant (Client STA) and Authenticator(AP/WLAN Controller) derive a PTK (Pairwise Transient Key) from their PMK (Pairwise Master Key). From the PTK is derived the snonce for the supplicant and anonce for the authenticator.
The Authenticator holds the Groupwise Master Key (GMK) which is used to derive the Groupwise Transient Key (GTK).
PTK = PRF (PMK + anonce + snonce + aa (Authenticator Mac) + sa (Supplicant Mac)
M1 – Message 1
- Authenticator (AP/WLAN) sends eapol-key frame containing anonce to Supplicant (Client STA).
- With this information, Client STA have all the necessary input to generate PTK using PRF
M2 – Message 2
- Client STA (Supplicant) sends eapol-key frame containing snonce, RSNE, MIC to Authenticator (AP/WLAN)
- Authenticator has all the inputs to create PTK
M3 – Message 3
- Authenticator derives PTK from snonce and anonce, MIC is also verified from the supplicant.
- Authenticator will send M3 with anonce + RSNE + MIC and GTK
M4 – Message 4
- Supplicant sends final eapol-key frame to authenticator to confirm temporal keys have been installed.
802.1X EAP Exchanges
802.1X RSNA has 3 roles involved.
- Supplicant (Client STA)
- Authenticator (AP/WLAN Controller)
- Authentication Server (Radius/NPS/ISE etc..)
The frame exchange with 802.1X authentication begins after 802.11 State Machine. Following a successful association response frame from the AP, the 802.1X process begins with a blocked controlled port. Captures for 802.1X can be taken either between Supplicant <> Authenticator and Authenticator and Authentication Server.
EAP messages will be exchanged between Supplicant and Authentication Server through the authenticators uncontrolled ports allowing only EAP messages. 802.1X EAP messages are sent as Data frames over the 802.11 medium. The Supplicant and Authentication Server must be configured to use the same EAP types.
The outer authentication EAP method is either proposed by the authentication server or the station will propose the method. Upon the method selection, the server presents a certificate to the client STA. The server certificate is used to build a TLS tunnel (encrypted). The station and authentication server use an inner authentication method to encrypt exchanged data.
After providing identities, sending certificates, selecting outer and inner EAP method and authenticating the user, the last frame will be either Success or Failure. 4 Way Handshake will begin if frame has succeeded.
AP which is part of an extended service set will allow a previously connected client STA to reassociate to the new AP. The client STA will decide what metrics would be considered for a roaming decision, such as RSSI, SNR and others.
An authenticated client STA which moves away from the current AP to a new AP, it will begin the 802.11 Open System authentication and association frame exchange but instead of an association frame, the client STA will send unicast Reassociation Frame request destined to target AP. Within the Reassociation Frame, the STA will populate current AP address field with the MAC address of the AP currently associated to.
Pre-FT (802.11r) Fast Secure Roaming Mechanisms.
Prior to amendment of 802.11r in 2009, Preauthentication & PMK caching were 2 methods which assisted client STAs to roam securely.
- Method used where a client STA may authenticate with multiple AP at a time. The access points must be in the same ESS and advertise preauthentication in their beacon frame.
- Can be seen under RSN Information tag in the frame capture > RSN Capabilities > Set to 1 if it supports preauthentication.
- Preauthentication works by allowing the STA to an RSNA with an AP prior to attempting reassociation with it. When the 802.1X authentication completes successfully, the result is a PMKSA that is used with other access points.
- Preauthentication may not work if the AP has expired PMKSA. The STA need to undergo complete 802.1X authentication when roaming to another AP.
PMK Caching >
- The STA and original AP will maintain a PMKSA for some time before expiring. During this time, the STA can associate to target AP and will establish a new PMKSA.
- The STA then roams back to its original AP and if cached PMKSA is still valid the station will reassociate, perform Open System authentication with its included PMKID for the PMKSA within the reassociation request.
- With PMK Caching the PMKID is cached on the AP after association of STA. Then upon roaming back to the AP it can skip 802.1X EAP exchange and move to the 4-way handshake.
- Preauthentication creates a PMK that will be stored on the target AP. When a station roams to the target AP it will be able to skip the EAP exchange process.
Both the above methods do not scale very well for large scale deployments due to the requirements of access points to have PMKSA with all the stations associated.
Fast Secure Roaming Transition
A client STA roaming from current AP to another AP may use FT protocol. It can do so using one of the two methods.
- M1 – Client STA transmits an Authentication Request frame to the target AP.
- M2 – The target AP transmit Authentication Response frame to the client.
- M3 – The client STA transmits Reassociation Frame to the target AP. Within the frame contains Fast BSS Transition element.
- M4 – The target AP transmits a Reassociation Response frame containing a status code and if Successful the originating client STA will transition to the target AP.
- The Fast BSS Transition over DS will be set to 0 in the Management Frames > Mobility Domain tag
- When using OTA FT, the STA communicates directly with the AP directly hence we see Authentication Request frames with destination address of the target AP.
- Looks similar to Over-the-Air. The main difference between the methods is a station using FT communicates with the target AP through its current associated AP.
- M1 – Client STA sends a FT request frame to the current AP with the target AP Address field set to the target AP BSSID.
- M2 – The target AP sends the FT Response frame to the client STA.
- M3 – The client STA sends a Reassociation frame destined to the target AP.
- M4 – The target AP responds with a Reassociation Response frame to the client STA. If the frame contains the Status code of successful, the station has transitioned to the target AP.
- The main difference compared to OTA FT is in OVD, the station initiates the FT with the Fast BSS Transition Action Request frame. This Action frame has a destination address of the current associated AP. Within the FT Action Request frame, the source address is that of the originating station and the destination of the target AP’s BSSID.
- To capture frames pertaining to roaming, multiple adapters must be used. Additionally, the software used to analyse the frames should support channel aggregation. When STA roams the troubleshooting tools must follow physically with the STA for accurate capture.
Improvements in FT
- Radio measurements allow a station to better understand their radio environment. One such measurement is Neighbor Report, sent to AP from a client STA. The AP returns with information about known neighbor AP. The station uses this list as potential roaming candidates.
- Taken from 802.11k, RRM – 2 frames exchanged between station and its associated AP. A client STA will send a unicast Action Management Frame to its associated AP, requesting a Neighbor Report of the indicated SSID.
- The AP responds to the client STA with a unicast Action Management Frame with Neighbor Report Response containing a list of neighboring AP their BSSID and operating channels.
Troubleshooting Roaming Issues
- Sticky Clients >
- As clients begin moving away from their associated AP, they dynamically shift their data rates to lower values
- Capturing frames near the sticky client is the best location for troubleshooting.
- Excessive Roaming >
- On the other side of Sticky Clients are clients that roam unnecessarily. As clients make their own roaming decisions troubleshooting close to the client can provide resolutions for excessive roaming.