Embed Size (px)
Citation preview
08 November 2019
Analysing Roaming Protocols
Head of Technical Operations | MarQuest
MackenzieWiFi
2
© Peter Mackenzie
802.1X AssociationOpen System Authentication - Request
Open System Authentication - Success
Association Request
Association Response
EAP Response
EAPoL Start
EAP Request (Identity)
EAP Response
EAP Request
EAP Success
EAPoL Key Packet #1
EAPoL Key Packet #3
EAPoL Key Packet #2
EAPoL Key Packet #4..
STA AP
802.1X Authentication can take longer than 200ms
3
© Peter Mackenzie
Slow Roam
Roaming STA
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1 802.11 Open System Authentication
802.11 Reassociation
802.1x Authentication
4-way handshake
2
AP 2AP 1
Which AP?
4
© Peter Mackenzie
PMK Caching – “Fast-Roam-Back”
Roaming STA
AP 2
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1 802.11 Open System Authentication
802.11 Reassociation
802.1x Authentication
4-way handshake
2
AP 1
802.11 Open System Authentication
802.11 Reassociation
4-way handshake
3
5
© Peter Mackenzie
Reassociation RSN Element Decode
ID of Cached PMK
6
© Peter Mackenzie
Pre-Authentication
Roaming STA
AP 2
802.11 Open System Authentication
802.11 Reassociation
4-way handshake
3
AP 1
802.1x Authentication2
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1
EtherType = 88:C7
7
© Peter Mackenzie
Pre-Authentication Support
An AP advertises it’s support for Pre-Authentication in RSN Information Element in Beacons, probe responses and association responses
8
© Peter Mackenzie
Opportunistic Key Caching (OKC)
Roaming STA
AP 2
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1802.11 Open System Authentication
802.11 Reassociation
4-way handshake
3
AP 1
PMK 2
9
© Peter Mackenzie
Fast BSS Transition (FT) - 802.11r
Authentication Server
WLAN Controller (Authentication)
MSK
PMK-R0PMK-R0 Holder
PMK-R1a PMK-R1b
PTKaPTKb
PMK-R1 Holder PMK-R1 Holder
PMK-R0PMK-R1a
PTKaSupplicant
FT Key Hierarchy
MSK:Derived from 802.1x AAA Key PMK-R0:
First Level key - Derived as a function of the Master Session Key (MSK)
PMK-R1:Second level key - Derived mutually by holders of PMK-R0
PTK:Third level key - Defines protection keys and is derived mutually by holders of the PMK-R1
FT Reassociation is achieve one of two methods:• Over the Air• Over the DS
10
© Peter Mackenzie
FT Over the Air
Roaming STA
AP 2
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1802.11 FT Authentication
802.11 Reassociation
3
AP 1
PMK-R1 2
11
© Peter Mackenzie
Pre 802.11r FSR vs FT Over the air
Open System Auth - Request
Open System Auth - Success
Reassociation Request
Reassociation Response
EAPoL Key Packet #1
EAPoL Key Packet #3
EAPoL Key Packet #2
EAPoL Key Packet #4
Pre 802.11r FSR Reassociation
FT Auth - Request
FT Auth - Success
Reassociation Request
Reassociation Response
802.11r FT Reassociation
Includes the 4 way-handshake
12
© Peter Mackenzie
FT Over the Air Packet #1
Snonce
ID of cached PMK
FT Authentication to be used
Does not support FT over the DS
Auth Algorithm: 2 = FT
Auth Seq Num: 1 = First Packet
Fast BSS Transition Element
PMK-R0 holder ID
The supplicant has cached PMK and is a PMK-R0 holder
13
© Peter Mackenzie
FT Over the Air Packet #2
Snonce
PMK-R0 holder ID
Anonce
PMK-R1 holder ID
The Authenticator has now derived the PNK-R1 Key and becomes a PMK-R1 Holder
Auth Algorithm: 2 = FT
Auth Seq Num: 2 = Second Packet
14
© Peter Mackenzie
FT Over the Air Packet #3
Snonce
PMK-R0 holder ID
Anonce
PMK-R1 holder ID
The Supplicant has now derived the PNK-R1 Key and becomes a PMK-R1 Holder. The supplicant has also derived the PTK
Reassociation Request
Current AP BSSID
MIC
15
© Peter Mackenzie
FT Over the Air Packet #4
Snonce
PMK-R0 holder ID
Anonce
PMK-R1 holder ID
The Supplicant has now derived the PMK-R1 Key and becomes a PMK-R1 Holder. The supplicant has also derived the PTK
Reassociation Response
MIC
GTK encrypted in PTK
16
© Peter Mackenzie
FT Over the DS
Roaming STA
AP 2
802.11 Open System Authentication
802.11 Association
802.1x Authentication
4-way handshake
1 802.11 Reassociation4
AP 1
PMK-R1 2
802.11 FT Action Authentication
3
17
© Peter Mackenzie
FT Over the DS Frame Exchange
Action – FT Request
Reassociation Request
Reassociation Response
Current AP New AP
Action – FT Response
FT Request and Response over the DS
18
© Peter Mackenzie
802.11k – Radio Resource Measurement802.11k and 802.11r work together to facilitate seamless roaming
Enables STAs to make informed roaming decisions
ESS IBSS CF Pollable
FC-Poll Request Privacy Short
Preamble Reserved Reserved Spectrum Management QoS
Short Slot Time
APSD Radio Measurement Reserved
Delayed Block Ack
Immediate Block Ack
B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 B13 B14 B15
Capability Information Field
Element ID = 70 Length = 5 RRM Enabled Capabilities
1 1 5
RRM Enabled Capabilities Element The Radio Measurement bit set to 1 in the Capability Information Field indicates general support for Radio Resource Measurement. Support for individual capabilities are indicated by a set of flag in the RRM Enabled Capabilities Element
19
© Peter Mackenzie
Neighbor Report
STA
AP 2
Neighbor Request1
AP 1
Neighbor Report2
Neighbor Report:Contains information about known neighbour APs which are roaming candidates.
20
© Peter Mackenzie
Neighbour Request Decode
Request a neighbor list for a specific SSID
Action Code = Neighbor Report Request
Action Category = Radio Measurement
21
© Peter Mackenzie
Neighbour Report Decode
Neighbor’s BSSID
Action Code = Neighbor Report Response
Action Category = Radio Measurement
AP is reachable for preauthentication
Selected subset of the AP’s Capability Information Field
Channel number of new AP
By concentrating on just the APs in the Neighbor list, clients reduce their scanning activity (active probing or passively listening to beacons on every channel). Which, in-turn, allows the STA to make more efficient use of the air time and reduce its power consumption.
22
© Peter Mackenzie
802.11v Wireless Network ManagementBSS Transition:Used by the wireless infrastructure to request a client moves to a more appropriate AP within an ESS
802.11r Support:Although some clients advertise support for 802.11v, they may not fully support BSS Transition.Client vendors don’t want to give up control to the wireless infrastructure. Windows 10 supports BSS Transition with a supported adaptor and driver that also supports 802.11r
STAs use the Extended Capabilities element to advertise their support for BSS Transition
23
© Peter Mackenzie
BSS Transition
STA
AP 2
Transition Management Response
2
AP 1
Transition Management Request
1
Contains a list of target BSSs
Accept or Reject If Accept, the Response indicates which of the suggested APs it is accepting
802.11 Open System Authentication
802.11 Reassociation
3
24
© Peter Mackenzie
BSS Transition Request Decode
Number of TBTT until the AP sends a Disassociation frame to the STA
Neighbor’s BSSID
Neighbor's Channel number
Additional Neighbor reports
25
© Peter Mackenzie
BSS Transition Response Decode
Status Code Description
0 Accept
1 Reject—Unspecified reject reason.
2 Reject—Insufficient Beacon or Probe Response frames received from all candidates
3 Reject—Insufficient available capacity from all candidates
4 Reject—BSS termination undesired
5 Reject—BSS termination delay requested
6 Reject—STA BSS Transition Candidate List provided
7 Reject—No suitable BSS transition candidates
8 Reject—Leaving ESS
9-255 Reserved
Status Code accepted or rejected with one of 8 status codes
26
© Peter Mackenzie
What should we use?
802.11r?802.11k?802.11v?
