To connect, the client must go through the following:
Scanning for networks
Includes passive or active scanning mode (or both). Many vendors use both.
- Client tunes to each channel, listens for a period of time, and monitors 802.11 beacon frames (AP transmits beacons by default every 100 milliseconds on a specific RF)
- Client records the RSS of the frame and continues scanning other channels.
- After scanning all RFs, the client decides which AP to join (usually highest RSS or more information eg SNR)
- Client sends broadcast probe requests on each channel
- APs within range/ clients (for ad hoc) respond with probe response frame
- Tx client waits for some time to receive all probe responses
- Client decides which AP to join (usually highest RSS or more information eg SNR)
- Enables clients to receive information about nearby access points in a timely manner, without waiting for beacons
- Generates additional traffic on the network (probe and response frames)
Authenticating with the network
Authentication can either be:
Open system authentication:
This is the default service.
- Request: Client sends an 802.11 authentication frame to an AP
- Response: AP responds with an 802.11 authentication frame that indicates success or failure in the status code located in the authentication frame.
For most WLANs, this is completely open. The client device does not need to send any form of credentials.
Shared key authentication:
Station must implement WEP to use this.
- Request: Client sends an Authentication frame requesting shared key authentication
- Challenge Text: AP replies with an octet bit challenge text the WEP services generate
- Encrypted Challenge Text: Client copies the challenge text into an authentication frame, encrypts it with a shared key, and then sends to AP.
- Response: AP decrypts the challenge using the shared key and compares to what it had sent earlier. If match, AP sends successful authentication reply, otherwise an authentication failure
- Shared key must be distributed manually (need to enter it to both client and AP radios)
- Not very secure. It is possible to discover the WEP key by monitoring enough of the transactions because both the encrypted and unencrypted versions of the challenge text are sent.
- Do not use in enterprise solutions.
IEEE 802.1X port-based authentication:
Introduced to 802.11 by the 802.11i amendment.
- Offers an effective framework for authenticating and controlling user traffic to a protected network.
- 802.1X ties the EAP (Extensible Authentication Protocol – IETF’s RFC 2284) protocol to both the wired and WLAN media
- Supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.
- EAPOL-Start: Unauthenticated supplicant (client) sends an EAP-start message that begins the exchange
- EAP-Request/Identity: The AP (authenticator) replies with an EAP-request identity message. The AP responds by enabling a port for passing only EAP packets from the client to an authentication server located on the wired side of the access point.
- EAP-Response/Identity: Supplicant responds with EAP-response containing the identity to the authentication server (eg RADIUS).
- The authentication server uses a specific authentication algorithm to verify
the client’s identity eg digital certificates or other EAP authentication type
- The authentication server sends either an accept message or a reject message
to the AP
- EAP-Success: The AP sends an EAP-success packet (or reject packet) to the client.
- Port Authorized: If the authentication server accepts the client, the access point transitions the client’s port to an authorized state and forwards additional traffic.
Associating with the AP
Client must associate with the AP to complete the connection process. Association is necessary to synchronize the client and AP with important information, such as beacon interval and supported data rates. An association establishes a mapping between the station and the 802.11 network.
- Association Request: client sends an association request frame containing elements such as SSID and supported data rates to AP
- Association Response: AP sends a response containing an association ID along with other information about the AP.
After association, 802.11 data frames can be sent between the client and AP.
Incase the client station moves and RSS becomes weaker, AP may re-associate to new AP.
- Re-association Request Frame: Client initiates re-association ending an 802.11 reassociation request frame to new AP
- Re-association Response Frame: New AP responds with a re-association response frame indicating a successful re-association
- Dis-association Frame: Client sends 802.11 disassociation frame to old AP
- Forward buffered frames: Old AP forwards any buffered 802.11 frames to new AP for delivery to client.
- Client and new AP can begin exchanging 802.11 data frames.
4-way handshake (Optional)
If either TKIP or CCMP is used for security, the access point initiates a 4-way handshake
with the client radio immediately after the association has completed. If no security or
WEP is used, the 4-way handshake is not implemented.
Purpose of the handshake:
- Establish a common key that will be used to encrypt data.
- For enterprise-based WPA, this encryption key is based on information provided by a server, MAC addresses and random numbers (nonces) associated with the AP and client radio exchanged during the handshake
- For WPA pre-shared key form, the user enters a pass-phrase which is then combined with the MAC addresses and nonces.
The key changes over time making it more secure. Periodically or when a client roams to a different AP, the 4-way handshake is implemented again with different parameters.
- Designing and Deploying 802.11 Wireless Networks: A Practical Guide to Implementing 802.11n and 802.11ac Wireless Networks For Enterprise-Based Applications, 2nd Edition By Jim Geier