One of the most
fundamental processes in wifi is how a client finds and connects to a wireless
network. In this blog I’m going to explain to myself how I believe the process
works having read the CWNA study materials, sat the ECSE Design course, reading
a whole plethora of online blogs and listening to a range of podcasts
discussing the subject over the last few months.
Very briefly the process of finding and joining a network is described by the 802.11 State Machine. There are four stages to this and we will look at each in more detail further into this post but for now a client goes through the following steps to get connected.
Unauthenticated and Unassociated
Authenticated but Unassociated
Authenticated and Associated.
Let’s start with the first elephant in the room. That Authenticated doesn’t mean what you might think it means. During this process there are two types of authentication that can be specified. One is Open System Authentication and is what you should see on nearly every single network today. As the name suggests this is a completely open standard and offers no security or encryption. The other is Shared Key authentication and my understanding is that this referred to the now deprecated WEP security standard, hence why you should be seeing Open System Authentication at this point in the connection process. WPA2 or 802.1x authentication which you might expect to see here actually happen after the association process is complete in a four way handshake.
So how does an unauthenticated and unassociated client find a network to join? Well there are two methods. The first, passive scanning relies on beacons from the wireless access point advertising what networks with what capabilities are available. An example of a beacon frame is shown below for the wireless network VM7535957 which is on channel 44.
By default beacons are sent every 102.4ms so roughly ten times per second. A beacon is sent on every radio in an AP for every SSID it is broadcasting so the number of beacons can soon add up. Beacons are also sent at the lowest configured mandatory data rate for each SSID so it’s easy to see why multiple SSID’s with support for 802.11b at 1Mbps can soon start chewing up your airtime. Dropping support for 802.11b clients and adjusting the mandatory rate to 12Mbps or 24Mbps can vastly decrease the amount of airtime consumed by beacons, even when running multiple SSID’s. A great source to illustrate this is the Revolution Wifi SSID Overhead Calculator which can be found at
Active scanning on the other hand relies on the client to send a probe request actively asking if there are wireless networks available in the area. Probe requests can either be for a SSID value of 0 (null probe request) which will receive a response from all surrounding networks or can specify a specific SSID (directed probe request) in which case only AP’s carrying that SSID will respond. Probe requests are sent as broadcasts on the lowest mandatory rate supported by the client. The probe request below is a directed one looking for the network VM7535957.
A probe response, as seen below, is sent in answer to a request. Probe responses are unicast traffic so should receive an ack from the client to the AP. They are sent at the lowest common data rate between the client and AP. They are very similar to beacon frames in that they contain extensive information about the 802.11 parameters of the network.
So at this point our client is still unauthenticated and unassociated but it now knows everything it needs to find a compatible network. At this point the client will run through it’s own set of metrics to decide which AP it wants to connect to for any given SSID. Once it reaches a conclusion it will send an Authentication Request, as unicast traffic, to the AP. This request will contain the authentication algorithm Open System in this instance. As unicast traffic an ack from the AP is expected. You’ll notice there is no mention of the SSID that the client is hoping to associate with at this point, simply the BSSID of the AP it wants to connect to.
In response the AP will send an ack and then an authentication response frame. This is also unicast and will also expect an ack from the client. The response should show that the authentication sequence is set to 0x0002 indicating a successful completion of open system authentication.
At this point we’ve progressed to the point where we have an authenticated but unassociated client. In the wired world we’ve plugged the cable in. We’re connected to the AP but not the specific network. Our client continues on with the next part of the process, association. It does this by sending another request, this time the association request. The association request contains the SSID that the client is asking to join along with an extensive list of capabilities around channels, rates, phy’s, power and supported security types amongst others. Again it is unicast to the AP and requires an ack.
Again the AP responds with an ack and then hopefully an association response. The AP compares the clients capabilities to its own and sends an association response. If successful the association response will contain a Status Code of 0x0000 and will assign the client an Association ID. If unsuccessful the Status code will be 0x0001.
At this point our client is both authenticated to the AP and associated to the SSID. Technically we have reached the end for this post. We now just have the matter of any further security to negotiate before we can start passing data traffic. WPA2 or 802.1x security will now take place as part of a four way handshake between the client and AP. You can see this in the screenshot below immediately after the association response, corresponding ack and random beacon.
I’m looking forward to delving more into the 4 way handshake as I study towards the CWAP and CWSP over the coming months. I’m sure there’ll be a blog about it at some point.
Wireless network engineer working in UK Higher Education. Views are all my own and normally gibberish.
CWNA, CWDP, ECSE Design