This is the landing page for all the wireless related posts on my blog. Majority of the content is towards my study for wireless related certifications like CWNP. The name ‘It Depends!’ is given as it is the majority of the answers or responses to the wireless queries
This blog post will focus on certain aspects of Wireshark frames which can be brought to use for analyzing and troubleshooting Wi-Fi issues. I recommend downloading metageek color filters and apply it to your Wireshark for filtering specific frame types with applied colorization.
You can read more about applying the color filters here.
- In Pcaps they can be found from Management - Beacon frames
- Beacon frames have purple color applied by default. The SSID column can determine the name of the SSID.
- However, for hidden SSID you will notice the SSID length is zero and set as Wildcard SSID
- Certain vendors can provide the information regarding device name from "Vendor Specific" tags under Tagged parameters.
- BSSID is radio MAC address associated with each SSID. It is derived from 'base radio MAC address'
- Each advertised SSID will have different BSSID even if they are transmitted from the same AP.
- When a device reports 3x3:3 MIMO, it has 3 transmit chains, three receive chains and 3 spatial steams in that order.
- Supported spatial streams by Client/STA can be found in all the Management Request frames such as Probe Request, Association Request or Reassociation Request.
- Supported spatial streams by AP can be found in Beacon & Response frames such as Probe Response, Association Response and Reassociation Response.
- Depending on the PHY, the frames will be shown under MCS set under HT or VHT capabilities information.
Power Save & Traffic Buffer
- The SM Power Save (Spatial Multiplexing) allows AP to save power. This can be seen in HT/VHT Capabilities Ass/Reass Request frames.
- Power save modes in HT
- 0 - Static, 1 - Dynamic, 2 - Reserved & 3 - Disabled
- In HT frames this information can be found under HT Capabilities Info as outlined below
- In VHT frames, this information is shown under TxOP PS. The AP needs to support the 802.11 stations to go into TXOP power save mode.
- Power save modes in VHT. Indicates whether a VHT AP allows non-ap VHT STAs in TXOP power save mode to enter sleep state during TxOP.
- 0 indicate if the AP does not support TxOP PS mode
- 1 indicate if AP support TxOP PS mode.
- Client STA use "Listen Interval" field to inform AP to go into power save mode. An AP uses the listen interval in determining the lifespan of frames that will be buffered for the STA.
- In the below Association Request frame, the listen interval is 0x0014 ~ 20 beacon intervals as the wake up time for the client.
Supported Data Rates
- A standard WLAN best practice to improve performance is to disable lower data rates on the AP. This helps in increase overall capacity by eliminating overhead caused from management frames sent out at lowest configured basic data rate.
- In order to determine the data rates supported by client, the best place to look at is Probe Request frames. (subtype 0x4)
- Probe Response frames can show the supported data rates by the AP.
CWAP-403 covers this topic under the 802.11 Frame Exchanges section. I've found this topic a bit hard to grasp. I have attempted to read the CWAP-403 study guide but honestly I could not get closer to fully grasp the topic. Much of the explanation in that book is direct copy/paste from standards documents. There is not much of attempt made to break it down and help us understand the topic better. I've attempted to find certain whitepapers to get deeper understanding. Hope you find it useful.
1.0 Analyse HT/VHT-specific transmission methods
1.0.2 Transmit Beamforming (TxBF)
1.0.4 Frame aggregation (A-MSDU and A-MPDU)
- Introduced in 802.11n & also used in 802.11ac wave 1.
- Allows AP to multiply throughput with the use of multiple antenna.
- AP send traffic to one client at a time and the airtime is shared between the clients.
- When a device reports 3x3:3 MIMO, it has 3 transmit chains, three receive chains and 3 spatial steams in that order.
- TxBF - Allows MIMO Tx (transmitter) using multiple antenna to focus the transmission on best Rx (receiver)
- STBC - Space-Time Block Code - Technique to improve the reliability of the data transfer by transmitting redundant copies of the data stream from different antennas.
- Spatial Multiplexing - Sending multiple independent streams of unique data using spatial diversity
Transmit Beam Forming (TxBF)
- Use of multiple antenna to transmit a signal strategically with varying phases thereby increasing the overall throughput towards the receiver
- The increased power improves SNR and data rates to those receiver devices.
- TxBF is most effective for medium range transmissions. At short range, there is enough power to support max data rates. Beamforming helps overcome the problem by extending the range and so improving the data rates.
- Beamforming uses multiple antenna arrays to change the transmission pattern of the AP on the fly, per frame basis.
- Device transmitting the frames is called beamformer, the one receiving it is called beamformee. Both AP/Client STA can be the beamformer/beamformee depending on the points of conversation.
- AP communicating with a client laptop.
- AP begins exchanging frames to measure the channel.
- Channel measurement is used to derive the "steering matrix" which determines how to direct the transmission to the receiver.
- Once this process is completed, AP is now the beamformer and begins transmission.
- After the transmission is completed, laptop acknowledges the frames which makes it beamformer and AP the beamformee.
Null Data Packet (NDP Sounding) Beamforming
- Before 802.11n, all beamforming techniques were proprietary resulting in lower usage.
- In 802.11ac, IEEE mandated NDP Sounding as the beamforming to be used for explicit feedback.
- Lot of factors come into play for steering the beams, hence channel calibration procedures (sounding) must be determined
- 802.11ac use multi-carrier OFDM, the analysis allow weak paths to be avoided and strong paths to be taken advantage of.
- STEP 1: Transmitter (Typically AP), sends NDP announcement frame with the AP and the target recipients.
- STEP 2: The transmitter sends NDP to the target recipients.
- STEP 3: Each target receiver uses the preamble in NDP to measure the RF channel properties and returns the measurements as a compressed beamforming steering matrix to the transmitter.
- STEP 4: The transmitter uses the data from all the recipients
- STEP 5: The beamformee analyses the training fields in the NDP and calculates the feedback matrix.
- STEP 6: The beamformer receives the feedback matrix and calculate steering matrix to direct transmissions toward the beamformee in a CBF (compressed beamforming frame)
- The NDP generally does not show up in pcap because it only has PLCP preamble and does not have a mac header. Packets of this nature are not decodable by sniffer tools.
- Access Points which are capable of simultaneously transmitting data to multiple groups of devices.
- 802.11ac standard specifies that up to 4 different groups can be formed by the AP during a single transmission.
- An elaborate version SU-MIMO channel sounding process is used to achieve the beamforming for MU-MIMO transmissions.
- The key distinction, The MU-MIMO beamformer requires a response from all beamformees in order to conclude channel sounding.
- Each client sends response packets along with channel state information in form of feedback matrix as discussed before.
- The beamformer uses the feedback matrix to form a steering matrix for the beamformees.
CBF (Compressed Beamforming Feedback)
- 802.11 action frame which contains channel matrix that specifies the channel state information for each client. The CBF is the largest contributor to the overhead caused by MU-MIMO transmission and its size is determined by 3 factors.
- Channel Width, Number of radio chain pairs & Bit count of each CSI unit.
- Spatial Division Multiplexing (SDM) was first introduced with 802.11n, became Spatial Division Multiple Access (SDMA) with 802.11ac (MU-MIMO).
- In Spatial Multiplexing same information is placed across two or more available antenna in an AP/client STA.
- There is no channel sounding procedure that takes place in order to determine optimal phase of spatial streams.
Frame Aggregation (A-MSDU and A-MPDU)
- Was introduced for improvements in QoS transmissions in 802.11e. Used in HT/VHT transmissions as well. First seen in 802.11n transmissions.
- Increases/improves throughput by sending multiple MSDU in a single transmission.
- The reduction of fixed mac layer overhead improves throughput along with
- odds of collision and overhead caused by the random backoff timer during medium contention is also minimized.
- The upper layer information for the MAC layer in 802.11 is called MSDU.
- A-MSDU is a method by which AP receives multiple 802.3 frames for transmission to a wireless client STA as efficiently as possible.
- This is done by removing 802.3 headers and trailers and then encapsulates the multiple MSDU payload into a single 802.11 frame for transmissions to the client STA.
- If encryption is enabled all MSDU are encrypted together in single payload.
- The A-MSDU serves as one packet as its passed down from higher layers to the MAC sub layer. The CRC is calculated for each A-MSDU as if it were a regular data frame. So, if an A-MSDU transmission fails, the entire A-MSDU must be retransmitted reducing its effort.
- An A-MSDU contain only MSDUs where DA/SA parameter values map to the same RA/TA values. Also, it can contain MSDUs which are potentially from different source as long as they are of same traffic identifier (TID).
- A-MPDU has similar goal to that of A-MSDU.
- The data payload of each MPDU is encrypted separately.
- MPDU aggregation has more overhead than A-MSDU. As each MPDU has individual MAC header and trailer.
- If retransmission is required only individual MPDU is retransmitted.
- The inclusion of A-MSDUs as a part of A-MPDU is more efficient over just using A-MPDU. The inclusion results in lower CRC errors.
Exam Specific only as I've outlined another post on this topic here
1. Spectrum Analysis – 15%
1.1 Capture RF spectrum data and understand the common views available in spectrum analyzers
1.1.1 Install, configure and use spectrum analysis software and hardware
Configure Wi-Fi integration
Save and export capture data
1.1.2 Capture RF spectrum data using handheld, laptop-based and infrastructure spectrum capture solutions
1.1.3 Understand and use spectrum analyzer views
Waterfall, swept spectrogram, density and historic views
Utilization and duty cycle
WLAN integration views
- Since the nature of 802.11 communication involves both layer 1 and 2, most of the times we have to inspect the environment at layer 1(PHY) as well.
- The nature of Wi-Fi using unbounded medium often requires to identify potential interference sources.
- The non 802.11 device signals do not comply with the medium contention standards and often cause intentional or accidental disruptions.
- Adding spectrum/packet analysis to the investigation process can allow to better understand what is going on in the WLAN environment.
Overcoming non-Wi-Fi interference summrised
- Locate for offending devices and remove them if possible.
- Change channels, frequency bands.
- Shield the noise, move the Wi-Fi devices away from noise.
- Increase the Tx Power, Use directional antenna if needed.
Capturing Data and using Spectrum Analysis
- Standard WLAN adapters in client devices are not capable to capture layer 1 RF energy.
- Specialised radios might need additional software to interpret the capture.
- AP doing spectrum analysis cannot perform normal AP functions during the use.
Install, Configure and Use Spectrum Analysis Tools
- Used for capturing RF signals from 802.11 and non 802.11 sources/devices.
- There are some dedicated devices for undertaking this and also some which only work on laptops, tablets etc..
- Some devices used PCMCIA cards back in the day now replaced with USB connectors.
- Most of these devices use omni directional antenna, one may need to turn about to find the direction in which the noise source is located.
- It is suggested to use spectrum analysis adapters which scan both the 2.4GHz and 5GHz spectrum.
- Some of the spectrum analysers are able to sweep the bands faster than others to offer the ability to scan for user defined duration in their sweeps. Reading the energy on the frequencies as it passes across them. It is sometimes called the "sweep cycle".
- Once the noise source is determined it is advisable to lock the capture on that channel and sweeping the single channel.
- Resolution Bandwidth (KHz)> It is the reference to the smallest frequency that can be resolved by the receiver. RBW should be low enough to resolve spectral components of the transmissions being measured. The lower the RBW wider the frequency inspection.
- The newer radios are able to sweep the spectrum much faster allowing to save battery life, improving the graphical representation and reducing the need for multiple radios.
Capturing RF Spectrum Data
- Determine the tools for capture. For remote and immediate diagnosis, the infrastructure spectrum analysis is the best choice. For onsite, a portable spectrum analysis is a better choice.
- Determine the type of antenna used for capture (omni directional or patch). Just FYI, water absorbs Wifi signals, humans are 70% water approx. so would see some absorbance at 2.4GHz.
- Once the tool is determined it will be easier to scan and detect the source of potential interference. Steps can be taken based on the noise source, if it is a mission critical source or not.
Using Spectrum Analyzer Views
- There are some complex and simple views. The hand-held all-in-one devices tend to have smaller screens and simpler interfaces.
- Laptop or infrastructure based tools tend to have richer and complex interfaces.
Real Time FFT (Fast Fourier Transform)
- Algorithm which samples over a period of time (or space) and divides into frequency components. These components are single sine wave oscillations at distinct frequencies.
- Simply put, FFT plot shows amplitude on y axis plotted over frequency on x axis.
- Shows RF energy present at a particular frequency over the course of time. Essential same info as Real Time FFT, but it is presented in the different format and tracked over time.
- It will display the frequency and signal strength (amplitude) of the detected RF signals.
- Displays the same information shown in swept spectrogram horizontally.
- Some tools use one view whereas others can use multiple/toggle views.
Power Spectral Density
- This view displays the strength of the detected energy as a function of frequency. In other words, it shows at which frequencies any detected RF energy variations are strong and which frequencies they are weaker.
- Can be useful in diagnosing problems when you have to compare the patterns. This can help identify any new sources of interferences which were not visible on a particular day/time and then troubleshoot accordingly.
Spectrum Utilization & Duty Cycle
- The spectrum utilization reporting allows you to determine how much airtime is being used on a given frequency. This can be from both 802.11/non 802.11 devices.
- Low-density deployments generating small amounts of retransmissions can have very high spectrum utilization due to noise.
- Spectrum utilization views can help us see the entire picture not just what WLAN devices are doing.
- Duty cycle indicates the fraction of time a resource is busy. When a single device transmits on a channel for 2 times every 10 time units, this device has a duty cycle of 20%.
- The duty cycle is traditionally calculated for a specific signal and is defined as the pulse duration divided by the pulse period.
- Many spectrum analysers calculate duty cycle as the amount of time the measured amplitude is above the noise floor or another arbitrary threshold.
- Device Possible Duty Cycle Microwave Oven - 50%, Jammer - 100% &Wireless Video Camera -100%
WLAN Integration Views
- Allow us to see both the RF energy visualised in the spectrum analysis and the SSID and in some cases the MAC Address of the detected AP.
Analysing Spectrum Captures
RF Noise Floor
- Determine the signal strength of the noise floor
- Many applications require a signal strength that is based upon a measure above the noise floor to work optimally.
- Adjustments may be required on the power levels of AP to compensate for high noise floor.
- In some cases adjustments may be required by adding additional AP or moving existing AP location (changing antenna direction) away from potential noise floor interference such as Microwaves etc..
SNR (Signal to Noise Ratio)
- Comparison of level of signal power to the level of noise power. Often expressed in decibels dB. It is the difference in dB between received signal and background noise level.
- SNR value of 25 dB to 30 dB is recommended for networks.
- Identifying the sources of interference is the key to fixing underlying WLAN problems.
- Spectrum Analysers can help track the interference and we can remediate accordingly.
- A common RF interferer is microwave oven, they operate in 2.4GHz and can have duty cycles of up to 50%.
- Spectrum Analyzers can help identify the sources of 802.11/non 802.11 RF signals. We can determine which channels being used and find the width depending on the way the channel bonding is displayed.
More to readRead more link text
The client STA must locate an AP to which it desires to connect which it does either actively or passively.
The 802.11 MAC layer provides the following functions.
- Scanning - Process used to discover BSS or to discover access points within a known BSS. It can either be done passively (Beacon frames) or actively (Probe Request/Response frames).
- Synchronisation - Some 802.11 features require all stations to have the same time.
- Frame Transmission - Client STA must abide by the rules for the BSS to which they are associated or want to get associated. These rules are the DCF and EDCF.
- Authentication - Open System Authentication is performed before a station can be associated with a BSS.
- Association - After successful authentication, the station can be associated with the BSS. This includes discovery of capabilities information in the both the direction.
- Reassociation - When user/client device roams, they will reassociate with another AP in the same ESS.
- Data Protection - Data encryption might be in place to prevent it from getting hacked.
- Power Management - These features are provided to better manage the battery power and extending it, this can include the transceiver to sleep for discreet specified intervals.
- Fragmentation - In certain scenarios, it is beneficial to fragment frames before transmission on wireless medium.
- RTS/CTS - One of the features which will help in preventing hidden node problems allow more centralized control of access to the medium.
DCF (Distributed Coordinated Function)
- All 802.11 devices support DCF. It is the CSMA/CA method implemented in the 802.11 standard.
Ethernet IEEE 802.3 use CSMA/CD for collision management. Since the nature of wireless networks they cannot detect collision but can only avoid it which is CSMA/CA (collision avoidance). Collisions are one of the possible ways to explain for failure of frame transmissions.
- In a phone call when both the parties try to speak at the same time, the effectiveness of communication is drastically reduced. Usually both will stop for random amount of time and one of them will resume the conversation. This analogy best describes collision detection as opposed to collision avoidance.
- The "carrier sense" in CSMA means that the devices attempt to sense whether the physical medium is available before commencing the transmission. The "multiple access" indicate multiple devices accessing the physical medium. On ethernet networks collisions are not as much of a concern because devices have dedicated physical connections (wires).
- In CSMA/CA - collision avoidance is achieved by signalling to other devices that a particular device is about to communicate. It may not be perfect due to hidden node issues but it does improve efficiency of communication in 802.11.
Carrier Sense & Energy Detect
CS - Process to check if medium is busy/available for communication. There are 2 types of carrier sense mechanisms:
- Physical Carrier Sense > Uses CCA (Clear Channel Assessment) to determine medium availability. This is provided by PHY and not MAC, though it reports to the MAC. CCA is accomplished by monitoring the medium to determine if the amount of RF energy exceeds certain threshold (energy detect) or if a Wi-Fi signal is being transmitted (carrier sense).
- Virtual Carrier Sense > Uses NAV (network Allocation Vector) is provided by the MAC and not PHY. The NAV timer in each client STA is used to determine if the medium can be used or not. If the NAV has the value of 0, the station may be able to use the medium. The STA must wait for the NAV timer counts down to 0. STA configure their NAV timers based on the duration field.
IFS is the time interval in which frames cannot be transmitted by client STA within a BSS. This ensures frames not overlapping. Time intervals differ from each frame type. IFS is an IEEE 802.11 feature and not be linked or confused with IEEE 802.11e or QoS solution. Below are the IFS types discussed
- SIFS & RIFS, PIFS, DIFS, AIFS & EIFS
SIFS - Shortest IFS - as the name goes is the shortest of all the available IFS parameters in 802.11 devices preceding 802.11n. The new RIFS (Reduced IFS) is even shorter still introduced in 802.11n but deprecated in 802.11ac.
- Frames that are specified to use SIFS interval will take priority over frames that are specified to use other IFS.
- ACK frames immediately following the receipt of the data frame.
- CTS frames sent as a response to RTS frames
- With the exception of first exchange
- All frame exchange made in PCF (Point Coordinated Function) mode.
- All frame fragments that are part of a fragment burst.
- The slot time intervals for various PHYs are:
- DSSS, HR/DSSS, ERP - 10 µs
- FHSS - 28 µs
- OFDM (HT/VHT) - 16 µs
RIFS is only 2 µs in length and can be used in 802.11n device in place of SIFS which do not allow legacy devices (Greenfield Mode).
PIFS (Point Coordination Function IFS) is neither the shortest or longest interval, resulting in priority greater than DIFS, but less than SIFS. When an AP needs to switch the network from DCF to PCF mode it will use PIFS frames. PCF is an optional part in IEEE 802.11 and has not been implemented in any market devices. Below are the slot times.
- DSSS, HR/DSSS, ERP - 20 µs
- OFDM -9 µs
- HT - 20 µs (long in 2.4GHz); 9 µs (short in 2.4GHz and always used in 5GHz)
- VHT - 9 µs
DIFS is the longest of all the IFS type. It is used by the standard data frames. The greater delay interval ensures that frames specified for SIFS and PIFS intervals can transmit before DIFS data frames.
- DSSS - 50 µs
- OFDM - 34µ
AIFS (Arbitrary IFS) is used in QoS stations those implementing EDCA. AIFS is used for all data, management and some control frame types by a QoS station. The control frames which using AIFS include - PS-POLL, RTS, CTS(when not responding to RTS), BlockAckReq, BlockAck
EIFS (Extended IFS) used when frame reception begins, but received frame is incomplete or corrupted based on the FCS. When the last frame the station received was corrupted, it uses EIFS for the next frame to transmit. EIFS interval is the longest of the IFS intervals and is calculated based on below complex algorithm.
- EIFS = SIFS + (8 * ACKsize) + Preamble Length + PLCP Header + DIFS)
Contention Window (CW)
The IFS delay interval is not the end of the wait for devices seeking wireless contention. After the IFS delay interval has passed, the device must the initiate backoff algorithm and then contend for the medium. This random backoff algorithm is processed and applied using CW. The "Window" is a range of integers from which one is chosen at random. We can think it to be like contention range instead of window for helping us remember this concept better.
All stations having a frame to transmit choose a random integer within the range specified as the contention window. Next the predefined algorithm multiples the random-chosen number by the slot time.
Imagine Client STA "A" wants to transmit one data frame in the medium.
- Data frame will be required to use "DIFS" since its standard data frame.
- A finds that the frame being transmitted had a duration value of 20 µs.
- A sets a NAV timer of 20 µs and waits for it to go to zero (0).
- A uses carrier sense and detects that medium is silent.
- A must wait for the DIFS interval to expire, since the station is using OFDM it waits for 34 µs.
- A waits for the random backoff timer to expire, and when it does the station uses carrier sense again to detect if medium is silent.
- A begins transmitting the data frame.
All this assumes the network is using DCF, otherwise if AIFS would be used before a QoS Data Frame is transmitted.
Even with all above efforts collisions can occur. To deal with these ACK frames are used.
EDCA (Enhanced Distributed Channel Access)
QoS was introduced by 802.11e standard which implements Layer 2 solution for the wireless link. The AP/WLAN controllers have the ability to convert the 802.11 QoS markings to 802.1p and/or DSCP markings for communications on the wired side.
The basic enhancement provided by 802.11 Frames are assigned an access category in one of the 4 AC (access category) values:
- AC_BK - Background (lowest) - aCWmin/max 15/1023
- AC_BE - Best Effort - (lowest) aCWmin/max 15/1023
- AC_VI - Video - (medium) aCWmin/max 7/15
- AC_VO - Voice (highest) aCWmin/max 3/7
Higher priority categories use smaller contention windows. The variation in random backoff times is a key differentiation between DCA and EDCA. Additionally if AIFS is used which has variable duration depending on the AIFS number AIFSN associated with the AC. Higher priority AC will have lower AIFSN.
The Wi-Fi Alliance created WMM (Wireless Multimedia) certification to validate that devices implement EDCA as defined in 802.11e. In addition to WMM parameters for the access categories and AIFSN, they have also introduced
- WMM Power Save
- WMM Admission Control
aCWmin is a variable defined in each PHY 802.11 standard. The variable are defined as:
- DSSS, HR/DSS - 31
- ERP - 31/15 depending on the need for backward compatibility
- ODFM, HT, VHT - 15
With the values provided, we can determine the Cwmin for AC_VO would be 7 for ERP with backward compatibility ERP(31+1)/4 -1 = 7. Below table can be referenced.
QoS Configurations and Operations.
WMM Parameters are included in the Beacon frame. A WMM-Compliant STA is expected to update its WMM parameters to match. This behavior results in shared parameters throughout the BSS.
The TxOP (Transmit Opportunity) defines the maximum amount of time in QoS STA that wins the TxOP may use the medium in bursts. The parameter can be defined for each access category (AC) queue. A TxOP of 0 means STA can send only 1 frame and must enter into contention procedures again. BK & BE use TxOP of 0.
Verifying QoS Parameters
- Look at AP/WLAN configuration
- Capture frames (Beacon, Probe Response & Association Response) to view the WMM parameters (may only tell what AP expects the client to use for their WMM, best to check WLAN configuration).
The phrase end to end QoS indicates that all devices in the communication chain (Clients > AP > WLAN > Switches > Routers > Gateway, etc.) must comply and implement QoS required within their internal frame and packet processing algorithms. If one switch is not adhering to the QoS tags, it will not be implemented.
Additionally you can read more about this in my other blog post.Read more link text
This blog post features the chapter 5 from CWAP-403 book. I have tried to summarize it as I've read through the book. Hope this helps you in the journey to become CWAP-403 certified. I am still waiting to give my 2nd attempt hopefully be able to give once the COVID19 lock down is relaxed. I am aiming to revise the 802.11 Frame Exchanges & MAC Sublayer and Functions section which comprise of 50% of the exam syllabus.
Fundamental basic of WLAN connectivity begin with finding and associating to a basic service set(BSS). Wi-Fi devices are always scanning and looking for available networks irrespective of the networks availability.
Beacon Frames and BSS Announcement
- Client STAs either scan actively/passively for available networks by probing for Wi-Fi networks they know about.
- Beacon frame is transmitted by AP to communicate information. This is done every 1024ms also known as target beacon transmission time (TBTT) or beacon interval.
- Each SSID will have a Beacon frame transmitted, too many SSIDs configured can result in consuming more airtime.
- Hidden SSID, broadcast their own Beacon frames. The frame capture will show SSID field blank or as wildcard SSID.
- The SSID name is visible in the Probe Request frame by the preconfigured station set to use the hidden SSID.
802.11 State Machine
The Process of joining AP to a BSS is called 802.11 State Machine. The sequence of frame is :
STA <------> AP
--> Probe Request to AP
<-- Probe Response to STA
--> Open System Authentication Request to AP
<-- Open System Authentication Response to STA
--> Association Request to AP
<-- Association Response to STA
Any further security such as 802.1X or PSK is performed after the 802.11 State Machine.
Probe Request Frame
- Originates from the Client STA wanting to join the BSS. This is a broadcast frame.
- STA preconfigured with previously connected SSID will actively probe for the network it has saved, otherwise for new networks it receives the Beacon frames from AP and requests to join the BSS.
- The source address (SA) and transmitter address (TA) are set to client STA transmitting the probe request.
- The destination address(DA) and receiver address (RA) are set to broadcast address.
- The elements in probe request frame help us identify the type of station e.g. HT or VHT client capabilities.
Probe Response Frame
- Upon receiving a probe request initiated by a client STA, an AP will contend for the medium and send a Probe Response frame containing information about the BSS a station must be able to support. This is a unicast frame.
- Most of the frame contents are similar to beacon frame except for the exclusions of TIM (Traffic Indication map) field, QoS capability element, AP Channel Report element, FMS Descriptor element and the HCCA TXOP Update Count element.
- Can be confused with the type of user authentication. The Authentication frame is part of the Open System authentication method which operates at the link level between the stations.
- The Client STA generates Authentication Request and receiving AP will respond with Authentication Response frame.
- The 802.11 Authentication merely establishes an initial connection between the client and the access point, basically validating or authenticating that the STA is a valid 802.11 device.
- Upon successfully passing the authentication, the client STA moves on by sending unicast Association Request frame to the destined AP.
- This frame is transmitted at the highest minimum data rate supported.
- The DA/RA are set to BSSID and SA and TA are set to MAC address of the client STA.
- The receiving AP responds with an Acknowledgement frame. Then it transmits and Association Response frame with a status code for the station. If successful, the STA receives the Association ID for the BSS.
- The Association Response frame is quite similar to the Association Request frame except it will contain Status Code field and Association ID(AID) assigned by the AP to a STA.
The Authentication/Association frames occur before any security frames are exchanged. The 802.11 standard defines the security under a RSN (Robust Security Network).
PSK (Pre-shared Key Authentication).
- The Client STA gathers the type of security policy from the Probe Request frame. PSK is the most common methods used for home networks.
- Once the STA discovers the AP's security policy it will negotiate a security policy. In PSK the Pairwise Master Key (PMK) is the PSK. From the PMK, a Pairwise Transient Key is derived. In this scenario, the AP will hold an authenticator role and the station will be Supplicant.
- Next, a 4-way handshake is initiated with EAPOL key frames being used. Upon successfully completing the handshake the STA will join the BSS using the PSK.
4 Way Handshake
The RSNA process uses EAPOL (Extensible Authentication Protocol over LAN) to form 4 way handshake. It is used with both PSK and 802.1X authentication. For 802.1X authentication, the 4 way handshake occurs after EAP authentication. The EAP can be implemented in form of a certificate based authentication or challenge-based or via other methods.
The 4-Way Handshake uses PRF (Pseudo Random Functions), it hashes various inputs to derive a value. The supplicant (Client STA) and Authenticator(AP/WLAN Controller) derive a PTK (Pairwise Transient Key) from their PMK (Pairwise Master Key). From the PTK is derived the snonce for the supplicant and anonce for the authenticator.
The Authenticator holds the Groupwise Master Key (GMK) which is used to derive the Groupwise Transient Key (GTK).
PTK = PRF (PMK + anonce + snonce + aa (Authenticator Mac) + sa (Supplicant Mac)
M1 - Message 1
- Authenticator (AP/WLAN) sends eapol-key frame containing anonce to Supplicant (Client STA).
- With this information, Client STA have all the necessary input to generate PTK using PRF
M2 - Message 2
- Client STA (Supplicant) sends eapol-key frame containing snonce, RSNE, MIC to Authenticator (AP/WLAN)
- Authenticator has all the inputs to create PTK
M3 - Message 3
- Authenticator derives PTK from snonce and anonce, MIC is also verified from the supplicant.
- Authenticator will send M3 with anonce + RSNE + MIC and GTK
M4 - Message 4
- Supplicant sends final eapol-key frame to authenticator to confirm temporal keys have been installed.
802.1X EAP Exchanges
802.1X RSNA has 3 roles involved.
- Supplicant (Client STA)
- Authenticator (AP/WLAN Controller)
- Authentication Server (Radius/NPS/ISE etc..)
The frame exchange with 802.1X authentication begins after 802.11 State Machine. Following a successful association response frame from the AP, the 802.1X process begins with a blocked controlled port. Captures for 802.1X can be taken either between Supplicant <> Authenticator and Authenticator and Authentication Server.
EAP messages will be exchanged between Supplicant and Authentication Server through the authenticators uncontrolled ports allowing only EAP messages. 802.1X EAP messages are sent as Data frames over the 802.11 medium. The Supplicant and Authentication Server must be configured to use the same EAP types.
The outer authentication EAP method is either proposed by the authentication server or the station will propose the method. Upon the method selection, the server presents a certificate to the client STA. The server certificate is used to build a TLS tunnel (encrypted). The station and authentication server use an inner authentication method to encrypt exchanged data.
After providing identities, sending certificates, selecting outer and inner EAP method and authenticating the user, the last frame will be either Success or Failure. 4 Way Handshake will begin if frame has succeeded.
AP which is part of an extended service set will allow a previously connected client STA to reassociate to the new AP. The client STA will decide what metrics would be considered for a roaming decision, such as RSSI, SNR and others.
An authenticated client STA which moves away from the current AP to a new AP, it will begin the 802.11 Open System authentication and association frame exchange but instead of an association frame, the client STA will send unicast Reassociation Frame request destined to target AP. Within the Reassociation Frame, the STA will populate current AP address field with the MAC address of the AP currently associated to.
Pre-FT (802.11r) Fast Secure Roaming Mechanisms.
Prior to amendment of 802.11r in 2009, Preauthentication & PMK caching were 2 methods which assisted client STAs to roam securely.
- Method used where a client STA may authenticate with multiple AP at a time. The access points must be in the same ESS and advertise preauthentication in their beacon frame.
- Can be seen under RSN Information tag in the frame capture > RSN Capabilities > Set to 1 if it supports preauthentication.
- Preauthentication works by allowing the STA to an RSNA with an AP prior to attempting reassociation with it. When the 802.1X authentication completes successfully, the result is a PMKSA that is used with other access points.
- Preauthentication may not work if the AP has expired PMKSA. The STA need to undergo complete 802.1X authentication when roaming to another AP.
PMK Caching >
- The STA and original AP will maintain a PMKSA for some time before expiring. During this time, the STA can associate to target AP and will establish a new PMKSA.
- The STA then roams back to its original AP and if cached PMKSA is still valid the station will reassociate, perform Open System authentication with its included PMKID for the PMKSA within the reassociation request.
- With PMK Caching the PMKID is cached on the AP after association of STA. Then upon roaming back to the AP it can skip 802.1X EAP exchange and move to the 4-way handshake.
- Preauthentication creates a PMK that will be stored on the target AP. When a station roams to the target AP it will be able to skip the EAP exchange process.
Both the above methods do not scale very well for large scale deployments due to the requirements of access points to have PMKSA with all the stations associated.
Fast Secure Roaming Transition
A client STA roaming from current AP to another AP may use FT protocol. It can do so using one of the two methods.
- M1 - Client STA transmits an Authentication Request frame to the target AP.
- M2 - The target AP transmit Authentication Response frame to the client.
- M3 - The client STA transmits Reassociation Frame to the target AP. Within the frame contains Fast BSS Transition element.
- M4 - The target AP transmits a Reassociation Response frame containing a status code and if Successful the originating client STA will transition to the target AP.
- The Fast BSS Transition over DS will be set to 0 in the Management Frames > Mobility Domain tag
- When using OTA FT, the STA communicates directly with the AP directly hence we see Authentication Request frames with destination address of the target AP.
- Looks similar to Over-the-Air. The main difference between the methods is a station using FT communicates with the target AP through its current associated AP.
- M1 - Client STA sends a FT request frame to the current AP with the target AP Address field set to the target AP BSSID.
- M2 - The target AP sends the FT Response frame to the client STA.
- M3 - The client STA sends a Reassociation frame destined to the target AP.
- M4 - The target AP responds with a Reassociation Response frame to the client STA. If the frame contains the Status code of successful, the station has transitioned to the target AP.
- The main difference compared to OTA FT is in OVD, the station initiates the FT with the Fast BSS Transition Action Request frame. This Action frame has a destination address of the current associated AP. Within the FT Action Request frame, the source address is that of the originating station and the destination of the target AP's BSSID.
- To capture frames pertaining to roaming, multiple adapters must be used. Additionally, the software used to analyse the frames should support channel aggregation. When STA roams the troubleshooting tools must follow physically with the STA for accurate capture.
Improvements in FT
- Radio measurements allow a station to better understand their radio environment. One such measurement is Neighbor Report, sent to AP from a client STA. The AP returns with information about known neighbor AP. The station uses this list as potential roaming candidates.
- Taken from 802.11k, RRM - 2 frames exchanged between station and its associated AP. A client STA will send a unicast Action Management Frame to its associated AP, requesting a Neighbor Report of the indicated SSID.
- The AP responds to the client STA with a unicast Action Management Frame with Neighbor Report Response containing a list of neighboring AP their BSSID and operating channels.
Troubleshooting Roaming Issues
- Sticky Clients >
- As clients begin moving away from their associated AP, they dynamically shift their data rates to lower values
- Capturing frames near the sticky client is the best location for troubleshooting.
- Excessive Roaming >
- On the other side of Sticky Clients are clients that roam unnecessarily. As clients make their own roaming decisions troubleshooting close to the client can provide resolutions for excessive roaming.