Got it

STA access [From Beginner to Expert - WLAN Fundamentals] - Section 8 Highlighted

Latest reply: Apr 11, 2018 10:09:58 5818 2 2 0 0

Hi there!


This post is about STA access, as part of the From Beginner to Expert - WLAN Fundamentals section on the Community. Please see more details as you read further down.



Last time, we shared with you how a Fit AP gets online on an AC. Regardless of whether an AP is a Fat AP or an online Fit AP, the AP is deployed to provide a wireless coverage environment for STA access. This enables us to use STAs to connect to a WLAN through APs within the WLAN coverage area. The following describes how a STA connects to an AP on a WLAN.

STA access includes three steps:

1.       Scanning: A STA scans wireless networks.

2.       Link authentication: The STA is authenticated so it can establish a wireless link with an AP. If link authentication is unsuccessful, the STA cannot connect the AP.

3.       Association: After link authentication is successful, the STA negotiates the service parameters of the wireless link with the AP to establish a wireless link.


576df2f85406d.png 

After these three steps are complete, the STA can connect to the AP. The STA can access the wireless network after obtaining an IP address, or can access the network after passing access authentication and key negotiation.

Access authentication and key negotiation are optional, and are therefore not configured on all networks. During STA association, the STA determines whether to perform access authentication and key negotiation according to the received association response packet. The details are described in the section about STA association. In practice, access authentication and key negotiation are required to ensure WLAN security.

Step 1: Scanning

Before a STA connects to an AP, the STA needs to discover an AP by scanning wireless networks.

For example, when we attempt to connect to a Wi-Fi network using mobile phones, we generally view a list of wireless networks that can be discovered by the mobile phones, as shown in the following figure. The displayed strings are SSIDs that indicate wireless networks. We can tap any one of them to connect to that network.

 

576df3120a040.png

 

As illustrated in that example, a STA needs to discover wireless networks before connecting to a wireless network. The process for a STA to discover a network is called scanning. When Wi-Fi is enabled on a mobile phone, the mobile phone automatically connects to a network that has been connected to before. This function simplifies operation for users wishing to connect to previously-used wireless networks. However, it does not mean that the mobile phone did not scan wireless networks. Scanning is automatically performed by the mobile phone and scanning results are automatically displayed on it.

A STA can actively or passively scan wireless networks. Which scanning mode a STA uses is determined by whether active or passive scanning is supported by the STA.

Generally, mobile phones or computers with wireless network adapters support both active and passive scanning. Wireless networks discovered through active or passive scanning are displayed on mobile phones or computers for your selection. In most cases, VoIP terminals passively scan wireless networks to save power. Active scanning and passing scanning are described in the following sections.

Active Scanning


576df3474c0ea.png

 

In active scanning, a STA periodically sends probe packets in supported channels to search for surrounding wireless networks. The probe packets sent by the STA are called Probe Request frames. A STA can send two types of Probe Request frames: ones that contain an SSID, and ones that do not.

1.         If a STA sends a Probe Request frame that does not contain an SSID, the STA attempts to scan all surrounding wireless networks. All APs that receive this broadcast Probe Request frame then reply with a Probe Response frame to notify the STA of their SSIDs. In this way, the STA discovers all surrounding wireless networks. (If SSID hiding in Beacon frames is enabled on an AP, the AP does not respond to the Probe Request frame and the STA cannot obtain SSID information using this method.)


576df374df998.png

 

2.         If a STA sends a Probe Request frame containing an SSID, the STA attempts to search for only the wireless network with the specified SSID. After receiving the Probe Request frame, only the AP with the specified SSID will reply with a Probe Response frame.

Passive scanning

In passive scanning, a STA does not send Probe Request frames to APs, and instead receives Beacon frames that an AP periodically sends.


576df3b167e27.png 

A Beacon frame sent by an AP contains information about the AP’s SSID and supported rate. An AP periodically broadcasts Beacon frames. For example, if the interval at which an AP sends Beacon frames is 100 ms, the AP broadcasts Beacon frames at an interval of 100 ms. A STA listens to Beacon frames in supported channels to obtain information about surrounding wireless networks. (If SSID hiding in Beacon frames is enabled on an AP, the AP periodically sends Beacon frames that contain empty SSID character strings and a STA cannot obtain SSID information from the Beacon frames.)

After wireless networks are discovered by a mobile phone, whether by active or passing scanning, you can select a wireless network to access. At this point, link authentication begins.

Step 2: Link Authentication

A STA connects to an AP through a wireless link. Only STAs that are successfully authenticated can establish wireless links with an AP. At this point in the process, some wireless networks require access authentication, in which case the STAs can access wireless networks only after passing access authentication.

Link authentication may remind you of other authentication modes such as 802.1x authentication, pre-shared key (PSK) authentication, and open system authentication. What is the relationship between link authentication and these authentication modes? Before answering this question, let's briefly talk about security policies.

Each security policy has a series of security mechanisms, including the link authentication mechanism, used to establish a wireless link; user authentication mechanism, used when users attempt to connect to a wireless network; and data encryption mechanism, used during user data transmission. The following table lists the link authentication, access authentication, and data encryption modes used in several security policies.

Security

Policy

Link

Authentication

Access

Authentication

Mode

Data

Encryption

Mode

Remarks

Wired

Equivalent

Privacy (WEP)

Open

Not involved

No encryption or

WEP encryption

Provides low security.

Shared key

authentication

Not involved

WEP encryption

Provides low security.

Wi-Fi Protected

Access

(WPA)/WPA2-

802.1X

Open

802.1x (EAP)

Temporal Key

Integrity Protocol

(TKIP) or CBC-

MAC Protocol

(CCMP)

Provides high security and is

applicable to large-sized enterprises.

WPA/WPA2-

PSK

Open

PSK

TKIP or CCMP

Provides high security and is

applicable to medium- or small

enterprises, or household users.

WAPI-CERT

Open

PSK

SMS4

A Chinese ational

standard for

WLANs. Rarely used and

applicable to large-sized

enterprises and carriers.

WLAN

Authentication

and Privacy

Infrastructure

(WAPI)-PSK

Open

WAPI certificate

authentication

SMS4

A Chinese ational

standard for

WLANs. Rarely used and

applicable to small-sized

enterprises and household users.


  Link authentication and access authentication are performed during different phases.


576df3ebde316.png

The preceding table demonstrates that the main security policies are WEP, WPA, WPA2, and WAPI. These security policies use only two link authentication modes: open system authentication and shared key authentication.

802.1x authentication and PSK are access authentication modes. Although not listed in the preceding table, MAC address authentication and Portal authentication are also important access authentication modes.

For details about security policies, MAC address authentication, and Portal authentication, see sections about WLAN security in WLAN product manuals.

Now, let's continue to talk about link authentication modes, namely, open system authentication and shared key authentication. What are the authentication processes for these two modes?

Open system authentication

Open system authentication indicates no authentication, which is also an authentication mode. Using this authentication mode, STAs are authenticated successfully as long as they send authentication requests to an AP. It is not a secure authentication mode. Therefore, open system authentication is always used together with other access system authentication modes to improve security.


576df42fb4165.png

 

Shared Key Authentication

Shared key authentication may make you think of Pre-shared key Authentication (PSK). Shared key authentication is a link authentication mode while PSK is a user access authentication mode. The two authentication processes are similar.

Shared key authentication consists of four steps and requires that a STA and an AP have the same shared key. Otherwise, authentication fails.

576df46ad1c81.png


1.         The STA sends an Authentication Request to the AP.

2.         After receiving the request, the AP generates a challenge and sends it to the STA.

3.         The STA uses the pre-configured key to encrypt the challenge and sends it to the AP.

4.         After receiving the encrypted challenge, the AP uses the pre-configured key to decrypt the challenge and compares the decrypted challenge with the challenge sent to the STA. If the pre-configured keys on the STA and AP are the same, the STA is authenticated. Otherwise, the STA is not authenticated.

After link authentication succeeds, the STA is associated with the AP.

Step 3: Association

Association is always initiated by a STA. Association refers to link negotiation between a STA and an AP.

The association process consists of two steps: association request and response.


576df49126c3c.png

 

The Association Request packet sent by the STA contains the STA’s parameters and the parameters that the STA selects according to the service configuration, including the supported rate, channel, QoS capabilities, access authentication modem, and encryption algorithm. If a Fat AP receives an Association Request packet from a STA, the Fat AP directly determines whether to perform access authentication and replies with an Association Response packet. If a Fit AP receives an Association Request packet from a STA, the Fit AP encapsulates the packet into a CAPWAP packet, and sends the CAPWAP packet to the AC. The AC then determines whether to authenticate the STA, decapsulates the Association Response packet received from the AC, and sends the Association Response packet to the STA. During this process, the Fit AP just forwards packets. Association packets exchanged between the AP and AC transmitted through a CAPWAP tunnel.

After association is complete, a wireless link is established between the STA and AP. If no access authentication is configured, the STA can access the wireless network after obtaining an IP address. If access authentication is configured, the STA can access the network only after passing access authentication and key negotiation. (If access authentication fails, the STA can only access network resources in the guest VLAN or the Portal authentication page.)

Other Steps

Access authentication modes include 802.1x authentication, PSK authentication, MAC address authentication, and Portal authentication. These authentication modes can be used to authenticate user identities to improve network security. Key negotiation ensures user data security. After successful access authentication and key negotiation, a STA can surf the Internet. If you are interested in access authentication, see sections about WLAN security in WLAN product manuals.

Finally, I'd like to share with you a story and ***yze it using what we've learned today. A newly married couple visited the **'s sister. At the sister's home, the ** directly connected to the Wi-Fi network using her **'s mobile phone without entering the password. When she took out her own mobile phone to connect to the Wi-Fi network, she could not connect without entering the password. At this moment, she knew that her ** had been to her friend's house before, and became suspicious. This is how she knew:

The Wi-Fi network is displayed on a mobile phone after the Wi-Fi network is discovered by the mobile phone through scanning. The **'s mobile phone could connect to the Wi-Fi network, while the ** must enter the password for network connection. Because she needed to enter a password to access the Wi-Fi network, she knew that the network is password-protected. If a mobile phone has connected to a Wi-Fi network in the past, the mobile phone generally saves network connection information such as the password, so that the mobile phone user does not need to enter the password again when connecting to the Wi-Fi network at a later time. Therefore the **'s mobile phone could directly connect to the Wi-Fi network at his **'s sister's home without the need of entering the password because the mobile phone has connected to the network before.

However, we cannot determine whether the password is used for link authentication or access authentication. Shared key encryption can be used as a link authentication mode. 802.1x, PSK, or Portal authentication can each be used as an access authentication mode. Both link authentication and access authentication require passwords. Therefore, a password can be used for link authentication or access authentication. In our daily lives, open system authentication is usually used for link authentication, and shared key authentication is rarely used. Therefore, there is a great probability that the password in the story is being used for access authentication.

The post is synchronized to: From Beginner to Expert-WLAN Fundamentals

  • x
  • convention:

debugger
Created Jun 25, 2016 06:27:50

wifi is very userful
View more
  • x
  • convention:

wissal
MVE Created Apr 11, 2018 10:09:58

useful document, thanks
View more
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I%20am%20a%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20a%20telecom%20operator%20who%20is%20a%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20networks%20department%2C%20during%20my%20career%20I%20have%20managed%20various%20projects%20for%20various%20network%20nodes.%3Cbr%2F%3EAt%20the%20same%20time%2C%20temporarily%20I%20give%20courses%20in%20telecom%20engineering%20schools%2C%20to%20bring%20the%20operational%20side.

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.