Description
Access points are tethers that connect traffic between mobile stations and other devices on the network. Before a mobile station can send traffic through an AP, it must be in the appropriate connection state.
The connection states are as follows:
- Not authenticated or associated.
- Authenticated but not yet associated.
- Authenticated and associated.
A mobile station must be in the third state before bridging can occur. The mobile station and AP will exchange a series of 802.11 management frames in order to get to the authenticated and associated state.
A mobile station starts out as not authenticated and associated
- A mobile station sends a probe to discover 802.11 networks within its proximity. A probe request advertises the mobile stations supported data rates and 802.11 capabilities such as 802.11n. The probe request is sent from the mobile station to the destination layer-2 address, and BSSID of ff:ff:ff:ff:ff:ff. Every AP that receives the probe request will respond.
- Any AP that receives the probe request checks to see if the mobile station has at least one common supported data rate. If the AP and the mobile station have compatible data rates, a probe response is sent advertising the SSID (wireless network name), supported data rates, encryption types if required, and other 802.11 capabilities of the AP. A mobile station chooses compatible networks from the probe responses that it receives. Compatibility can be effected based on the encryption type. Once compatible networks are discovered, the mobile station will attempt low-level 802.11 authentication with compatible APs. 802.11 authentication is not the same as WPA2 or 802.1X authentication mechanisms which only occur after a mobile station is authenticated and associated. The 802.11 authentication frames were originally designed for WEP encryption, however this security scheme has been proven to not be secure and has been deprecated. 802.11 authentication frames are open, and almost always succeed.
- A mobile station sends a low-level 802.11 authentication frame to an AP, which sets the authentication to open, indicating a sequence of 0x0001
- The AP receives the authentication frame, and responds to the mobile station with authentication frame set to open which indicates a sequence of 0x0002. If an AP receives any other frame than an authentication or probe request from a mobile station that it is not authenticated, it will respond with a deauthentication frame placing the mobile into an unauthenticated and unassociated state. The mobile station is now authenticated, but not yet associated. Some 802.11 capabilities allow a mobile station to low-level authenticate to multiple APs which speeds up the association process when moving between APs. A mobile station can be 802.11 authenticated to multiple APs, however it can only be actively associated and transferring data through a single AP at a time.
- Once a mobile station determines which AP it would like to associate to, it sends an association request to that AP. The request contains the chosen encryption types, if required, and other compatible 802.11 capabilities. If an AP receives a frame from a mobile station that is authenticated but not yet associated, it will respond with a deauthentication frame which places the mobile into an authenticated but unassociated state.
- If the elements in the association request match the capabilities of the AP, the AP will create an Association ID for the mobile station and respond with an association response with a success message which grants network access to the mobile station.
- The mobile station is successfully associated to the AP and data transfer can begin.
Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is complete.
