In the wired world, to connect to the network you would plug in your Ethernet cable into the switch. In the wifi world, you must connect to the access point. The process of connecting to an access point is called the 802.11 State Machine.
How does the station (STA) and access point agree to this connection?
I’m going to attempt to break it down step-by-step on this post.
802.11 State Machine
In my example, I have one STA connecting to an open SSID. The summary of it all is as follows:
- STA is unauthenticated and unassociated
- STA becomes authenticated and unassociated
- STA becomes authenticated and associated
- STA clears security requirements such as 802.1X, if required
Beacon/Probe
The STA begins the process by performing a passive or active scan. In the passive mode, the STA is listening for beacons from an access point. The beacon frame contains the BSSID which is the MAC address of the radio sourcing from the access point.
The beacon frame is a type of management frame defined in 802.11-2007. It includes capability information and parameters.
Active Scan / Probe
A probe is sourced from the STA requesting to join a wireless network. This is a probe request management frame. The probe is responded by an access point using a probe response management frame.
In the probe request you will find the parameters as shown below. This is an example probe request from a STA broadcasted to any access point that can respond. The wireless network requested is eduroam.
Authentication
The probing/scanning phase is part of the unauthenticated and unassociated step. The STA has not authenticated with the access point and also is not associated with the access point. Think of authentication as plugging a computer into a port on a switch.
The STA must be authenticated to the access point before it is associated. It sounds backwards. These are the two states in this phase and it must be done in this order.
A STA can be in either two states in Authentication and Association:
- Unauthenticated or authenticated.
- Unassociated or associated.
To begin the Authentication step, the STA sends an Authentication wireless management frame to the access point. The access point responds with an Acknowledgement frame.
Notice above, the Authentication Sequence is set to a state of 1.
The access point will acknowledge the Authentication frame from the STA and upon successful authentication, the access point will send an authentication frame to the STA with an Authentication Sequence with a State of 2, for success.
Access point sends an Authentication frame with a state of 2, for Successful.
Open System and Shared Key
If you noticed in the above successful authentication frame, the Authentication Algorithm was set to Open System. There are two types of methods for authentication.
- Open System
- Shared Key
Open System performs no client verification. This is the method used with SSIDs utilizing WPA, WPA2, and those with no password.
Shared Key uses a passphrase and contains a 4-way handshake for authentication. The STA sends a request to authenticate, access point receives the request and sends back a cleartext challenge, the STA encrypts and sends another authentication request based on the cleartext challenge and then the access point compares the STA’s challenge to the text. If successful, the STA is authenticated.
Association
Once the STA is authenticated to the access point, the next step is to become Associated. The Association occurs after the Shared Key Authentication or Open System Authentication Algorithm. There cannot be a STA that is Associated but not Authenticated. If the STA fails Authentication, it does not move to Association.
After the the access point sends an Acknowledgement to the STA’s Authentication Response, the STA sends an Association Request.
The Association Request is Acknowledged by the access point which then sends an Association Response frame to the STA.
If the association is successful, the access point’s Association Response frame will contain a Status code: Successful.
The details within an Association Response include:
- Capabilities Information such as
- Supported Data Rates
- HT Capabilities
- HT Information such as the Primary Channel
- WMM information
- And more..
If the Status code is anything other than Successful, then the STA is deauthenticated.
Summary
The example above uses a STA that is trying to connect to a wireless network for the first time. The SSID is called TEST and does not have a password set up.
The STA probes for the SSID, moves into Authentication, transitions into Association, and is then successfully Authenticated and Associated. This last part indicates the STA can now send data wirelessly on the TEST network.
Below are the states a station cycles through to join a BSS:
- Unauthenticated and Unassociated.
- Authenticated but Unassociated.
- Authenticated and Associated.
hi rowell, from my WLC how can I see in the WLC — MONITOR — CLIENT TAB users ASSOCIATED but NOT AUTHENTICATED when your note above says the opposite. I mean, association cannot happen if authentication is not successful first. I am using WPA2-AES AS LAYER 2 AUTHC mechanism (802.1X EAP-TLS)
Hi Abraham,
If we leave the Cisco WLC out of it.. the process is first authentication and then association. But after that there is a separate step to pass any security measures.
So in your case, your client connects to the AP through authentication and then is associated to the AP. Now it must pass WPA2-AES or 802.1X. That is what the WLC is referring to. The client is associated to the AP but if failing security so therefore, from a WLC point of view, the client is not authenticated.
thanks rowell for your reply.
So basically what I understand from this is that— when we’re prompted to input a passphrase to connect to our wireless home router, this happens after the client station is in the “associated and authenticated” connection state when using WPA2?