Wireless usage is increasing day by day. Wireless gives the flexibility to move around and have connectivity to the network or Internet.
Understanding the flow of the frames between the user device and Access point will help identify the cause of the problem quickly.
We see people complaining about wireless, like suddenly I am losing my wireless connection or unable to establish the wireless connection at a few places.
Knowing the frames exchanged between Wireless user device (like a Mobile Phone) and Access point to establish a successful wireless connection, Information Element (IE or Fields or parameters) in each frame will help a lot to identify who is causing the failure of connectivity, Is the user device or Access point.
I am taking an example to show the frames exchanged when a user device establishes a wireless connection with an Access Point broadcasting 802.1x/ PSK SSID. (using WPA2)
Note: I did not show the acknowledged frames in the above diagram. Unicast frames will receive Acknowledged frames.
Let me explain each frame in the above diagram and Information elements (IE), which can help us understand each frame's functionality using Wireshark captures.
Tools used to do Air Capture is MacBook Air.
Beacon
To filter only beacon frames in wireshark "Wlan.fc.type==0 && wlan.fc.subtype==8"
Beacon frame broadcasted by the AP with SSID name and its capabilities.
AP Supported Rates are visible.
SSID name is seen in Beacon, Probe Response & Association Request.
Note: SSID is Hidden you cannot see the SSID name in Beacon but can be seen in others
Country Code in the Beacon shows which Regulatory Domain AP Supports. This is Critical information for few devices to connect, like IP-based wireless handsets.
Channel in which Beacon is broadcasted.
HT/VHT/HE elements in the Beacon say the AP supports 802.11n/ac/ax.
RSN(Robust Security Network) Information element says SSID supporting Pre-Shared key (PSK) /802.1x.
Mobility Domain element is found in Beacon if SSID is configured for 802.11r. 802.11r can be configured on 802.1x /PSK SSID.
The Beacon management frame and the Probe Response frame from an access point are almost identical, meaning they have the same information elements. However, the Probe Response frame does not contain the traffic indication map (TIM) information element. The TIM informs client stations if they have data buffered at the access point when the client wakes up from a power save mode and is only in the Beacon management frame.
Wireshark filter to filter Beacon Management Frames. (wlan.fc.type==0 && wlan.fc.subtype==8)
Probe Request
A probe request is a frame broadcasted by the user device to identify the access points broadcasting SSID.
The user device sends the Probe Request on the Channel learned from Beacon to discover the BSSID / AP’s Broadcasting the SSID.
BSSID looks like Mac-address and unique address to identify the Access point, SSID, and radio (2.4GHz or 5GHz).
Wireshark filter to filter Probe Request - (wlan.fc.type==0 && wlan.fc.subtype==4)
Probe Response
Probe Response sent by Access Points in response to probe request and has the SSID name and capabilities.
Whenever there is a Probe request on a specific channel, all the AP’s on that channel will respond with Probe Response with parameters like SSID, Authentication type supported, etc.
All other information in the Probe Response will be similar to Beacon, like Supported Rates, 802.11a/n/ac/ax, RSN information( says the SSID either 802.1x/PSK), etc.
Probe Response has the SSID Name even SSID is configured to be Hidden. This is why Hiding the SSID is not considered securing the network.
The Probe Response frame from an access point is identical to the Beacon management frame except for the traffic indication map (TIM) used for power save mechanisms.
Wireshark Filter to filter Probe Response (wlan.fc.type==0 && wlan.fc.subtype==5)
why Open Authentication Happens before Association with SSID?
Open Authentication is the first Unicast Communication from the User to Access Point after Identifying BSSID of AP.
Open Authentication is an Authentication to validates the authentication algorithm typically we will see authentication algorithm as "Open System" ,unless & Until we use WPA3 or during Re-association Fast Transmission.
User device send its Authentication request with Authentication Algorithm as Open System and AP responds with Authentication response with Authentication Algorithm "Open System" supported and Authentication status as Successful.
Note: All Robust Secure Network or Captive portal etc Authentications happen after association successful.
Wireshark filter to filter Open Authentication frame (wlan.fc.type==0 && wlan.fc.subtype==11)
Association Request
We can see SSID Name & Supported rates of the user device trying to Associate with AP.
User Device supported channels can be seen. This information will help why the User device cannot connect to a specific AP.
Example: The user device does not support DFS channels, and Specific AP is on DFS Channel 116. The user device will fail to connect to the Specific AP.
We can see An Authentication type with SSID the User Device trying to connect can be seen.
For PSK, we can Under the RSN element.
.
For 802.1x, we can Under RSN element.
The Mobility Domain element confirms that the User device supports 802.11r.
HT/VHT elements confirm the user device supports 802.11n/ac
802.11K and 802.11V support.
Association Response
Will have Status code Successful which confirms AP supports SSID parameters (like Authentication type) User Device is Looking for.
The Mobility Domain element confirms AP supports 802.11r.
In the Mobility Domain, the element Mobility Domain Identifier is Critical information used for Roaming to identify the AP’s in the same BSS.
The Association ID (AID) is present in the MAC frame header of the Association Response frame and used to identify the stations association number. The AID number is used for power save mode from indicating the access point has unicast data buffered.
Authentication
In 802.1x Authentication, Authentication Credentials are verified with Authentication Source. If Authentication is Success, EAP-Success is returned by AP else EAP-Failure.
In Rare Scenario’s Authentication Failures happen due to Authentication Method mismatch by Radius Servers.
Example: User Device Authenticating using 802.1x and Authentication method EAP-PEAP but Radius Server Supports only EAP-MD5, Authentication will Fail.
With Pre-Shared Key(PSK), which is not an Authentication type/method. PSK is used in EAPOL KEY 1-4 generation. If the PSK on the user device and AP differ, then EAPOL KEY generation stops at EAPOL KEY 2, and we will not see EAPOL KEY 3 & 4 as below.
EAPOL Key 4-Way Handshake
Robust Security Network Association- Association between a Pair of Stations includes a 4-way handshake.
Robust Security Network(RSN)- Network which allows Robust Security Network associations. RSN can be identified by the presence of Information Element “RSN” in the Beacon.
Master Session Key(MSK) – Derived between the EAP peer and server and exported by the EAP method. The MSK is at least 64 octets in length . In existing implementations, an AAA server acting as an EAP server transports the MSK to the authenticator.
Pre-Shared key is used as MSK in WPA2-Personal.
Pairwise Master Key(PMK) – This is the key Derived using MSK. PMK is generated at the Supplicant and Authenticator.
Group Master Key(GMK) – This is the key Derived at Authenticator only.
Nonce – Arbitrary Number used only once.
Pairwise Transient Key(PTK)- Derived using PMK, Authenticator Address(AA), Supplicant Address(SPA), Authenticator Nonce (ANonce), Supplicant Nonce (SNonce) using Pseudo Random function.
PTK has five different Keys
1.Temporal Encryption Key(TEK)
2.Two temporal Message Integrity Code(MIC)
3. Key encryption key (KEK)
4. Key confirmation key(KCK)
The temporal encryption key (TEK) - Actual Key is used to encrypt unicast traffic between AP & the user device.
Key Encryption Key (KEK) -Key used to encrypt the key Data field in the EAPOL Keyframe.
Key Confirmation Key(KCK) - Key Used for Integrity check an EAPOL Key Frame.
Pairwise Master Key Security Association(PMKSA) – The resulting context after Successful authentication between the Supplicant & Authentication server or a pre-shared key. At this moment, PMK is generated at the Supplicant & Authentication server.
Pairwise Master Key Identifier(PMKID)- This is a Unique Identifier for each PMKSA established between AP & STA.
Only in the
Association request & Re-association request in RSN information element can see field PMKID Count and PMKID.
Example: PMKID Count & PMKID for Re-association Frame.
4-Way Handshake
In 802.1x, All Keys are Unique for Each Pair Supplicant & Authenticator, which Justifies the Robust Security Network & Robust Security Association.
In PSK, Except PMK all keys are Unique.
PMK is not exchanged between Stations (AP & user Devices).
The group-key is used to secure broadcast and multicast frames. The group key will be refreshed based on the settings in infrastructure devices such as an access point and will determine the group key's refresh time interval. This results in a separate 2-way handshake after the 4-way handshake completes successfully and is called the group-key handshake.
Commentaires