In this post we will see how 802.11r Over-the-Air Fast BSS Transition works. We will use same topology & base configuration used for the previous post.
First I have to disable “Over-the-DS” feature on the WLAN to force FT transition “Over-the-Air” as shown below.
wlan MRN-EAP 22 MRN-EAP
client vlan 22
security wpa akm ft dot1x
security dot1x authentication-list MRN-DOT1X
security ft
no security ft over-the-ds
no shutdown
When the client associate to LAP1, it will go through FT initial mobility domain association process (described in 802.11r FT association post). Here is the snapshot of that frame capture.
In “Over-the-Air Fast BSS Transition” client will communicate with Target AP (LAP2 in my case) over the air. So you can capture these frame exchange if you sniff CH40 as LAP2 is set to that channel. So here is my capture looks like. As you can see in the time stamp (from frame 88 to frame 95) roaming complete within 14ms.
As you can see in the above, you can see only 4 frames like in Open System Authentication & even not includes any 4-Way Handshake messages :shock: . These are 4 frames exchange when this roam occurs,
1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
Without 4-Way Handshake messages how client & AP derive PTK to encrypt traffic ? If you look at the detail of the above frames you will find the answer. In Over-the-Air Fast BSS Transition, these 4 frames include 4-Way Handshake information. This will effectively combines the initial Open System Authentication & Re-association frames with 4-Way Handshake frames. (so 4 less frames required to complete a roam).
Now let’s go into detail of each of these frames. First we will look at the “Beacon frame” to see “Over-the-Air” FT support advertising. As you can see below in RSN-IE its advertising 802.1X & FT over 802.1X capability & in MDIE “Over-the-DS” bit set to “0” indicating it is supporting “Over-the-Air” Fast BSS Transition.
So let’s go to “Authentication Request” frame detail initiated by the client (iPhone5 in this case). As you can see, this frame contain RSNIE, MDIE, FTIE information elements. RSNIE includes PMKID count & PMKID list. FTIE includes SNonce, R0KH-ID.
Then target AP(LAP2) sends the “Authentication Response” frame to client. This frame also contain RSNIE, MDIE & FTIE. In FTIE includes ANonce, SNonce,R1KH-ID & R0KH-ID.
Then client sends the “Re-association Request” frame. This also contain RSNIE,MDIE & FTIE. FTIE includes MIC,Anonce, SNonce, R1KH-ID, R0KH-ID.
Finally AP sends “Re-association Response” frame. This frame contain RSNIE, MDIE,FTIE & GTK information.
Below diagram (page 270 of CWSP Official Study Guide) show the frame exchange of “Over-thee-air fast BSS transition” which described above.
In the next post how “Over-the-DS fast BSS Transition” works.
References
1. Over-the-Air-FT (frame capture used for this post)
2. CWSP Official Study Guide – Chapter 7
Related Posts
1. CWSP-802.11 Roaming Basics
2. CWSP-802.11r Key Hierarchy
3. CWSP-802.11r FT Association
4. CWSP-802.11r Over-the-DS-FT
5. CWSP-4 Way Handshake
6. CWSP- RSN IE
