802.11 and Network Interface Cards part II
Download
Report
Transcript 802.11 and Network Interface Cards part II
Ch. 2 – 802.11 and NICs
Part 2 – 802.11 MAC
Cisco Fundamentals of Wireless LANs version 1.1
Rick Graziani
Cabrillo College
Spring 2005
802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco
Client Adapters
• (Separate Presentation)
• 2.1 Online Curriculum
– 802.11 Standards
• Overview of WLAN Topologies
– IBSS
– BSS
– ESS
– Access Points
• 802.11 Medium Access
Mechanisms
– DCF Operations
– Hidden Node Problem
– RTS/CTS
– Frame Fragmentation
Rick Graziani [email protected]
• 2.4 – 2.6 Online Curriculum
– Client Adapters
– Aironet Client Utility (ACU)
– ACU Monitoring and
Troubleshooting Tools
Part 2 – 802.11 MAC
• 802.11 Data Frames and
Addressing
• 802.11 MAC Layer Operations
– Station Connectivity
– Power Save Operations
– 802.11 Frame Formats
• Non-standard devices (Brief)
2
Recommended Reading and Sources for
this Presentation
Pejman Roshan
Jonathan Leary
ISBN:
1587050773
Matthew S. Gast
ISBN:
0596001835
• To understand WLANs it is important to understand the 802.11
•
protocols and their operations.
These two books do an excellent job in presenting this information and
is used throughout this and other presentations.
Rick Graziani [email protected]
3
Acknowledgements
• Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems,
•
authors of 802.11 Wireless LAN Fundamentals for allowing me to use
their graphics and examples for this presentation.
Also thanks to Matthew Gast for author of 802.11 Wireless Networks,
The Definitive Guide for allowing me to use their graphics and
examples for this presentation.
Rick Graziani [email protected]
4
802.11 Frames – This isn’t Ethernet!
802.11 Frames
• Data Frames (most are PCF)
– Data
– Null data
– Data+CF+Ack
– Data+CF+Poll
– Data+CF+Ac+CF+Poll
– CF-Ack
– CF-Poll
– CF-Cak+CF-Poll
• Control Frames
– RTS
– CTS
– ACK
– CF-End
– CF-End+CF-Ack
Rick Graziani [email protected]
•
Management Frames
– Beacon
– Probe Request
– Probe Response
– Authentication
– Deauthentication
– Association Request
– Association Response
– Reassociation Request
– Reassociation Response
– Disassociation
– Announcement Traffic
Indication
5
802.11 Data Frames and
Addressing
Helps to understand this because it is not dependent upon the
802.11 Physical layer.
Ethernet MAC Addressing
X
xxx
Distribution System (DS)
Access Point 1
Access Point 2
B
A
xxx
yyy
Y yyy
C
D
Pseudo MAC address of hosts
xxx
yyy
IP Packet
Rick Graziani [email protected]
7
802.11 MAC Addressing
The LLC encapsulation will be
explained later in this presentation.
General 802.11 Frame
• Four address fields
• The number and function of the address fields is dependent upon the
•
•
source and destination for the 802.11 frame.
Before we look at how these addresses are used, lets look at the
different source and destination options.
Address 4 is optional and not commonly used, except for WDS
(wireless distribution system, bridge to bridge).
Rick Graziani [email protected]
8
802.11 MAC Addressing - DS
X
Y
Distribution System (DS)
Access Point 1
A
Access Point 2
B
C
D
• Distribution System (DS)
– “The distribution system is the logical component of 802.11 used to
forward frames to their destination. 802.11 does not specify any
particular technology for the distribution system.” Matthew Gast
– The DS is the exiting network from the AP. (For purposes of this
discussion.)
– It can be a wired network (Ethernet) or a wireless network (wireless
bridge) or something else.
– We will assume it is a wired network for these discussions.
Rick Graziani [email protected]
9
802.11 MAC Addressing –
Frame Control Field
General 802.11 Frame
• To DS: indicates if frame is destined for the DS or AP (1 bit).
• From DS: indicates if frame is sourced from the DS or AP (1bit).
Rick Graziani [email protected]
10
802.11 MAC Addressing –
Frame Control Field
General 802.11 Frame
Function
IBSS (no AP)
To AP
From AP
Wireless
bridge to bridge
Rick Graziani [email protected]
ToDS
0
1
0
1
FromDS
0
0
1
1
Note: Some
documentation is
misleading stating that the
ToDS is set to 1 only when
the destination is on the
wired side of the AP.
11
802.11 MAC Addressing –
Frame Control Field
Rick Graziani [email protected]
12
802.11 MAC Addressing
X
xxx
Y
Distribution System (DS)
Access Point 1
Access Point 2
111
A
B
aaa
C
D
bbb
aaa
•
•
•
bbb
111
Pseudo MAC address of hosts and BSSID
of AP1
Let’s look at these options:
– Host A to Host B
– Host A to Host X
– Host X to Host A
Frames to and from a BSS (Basic Service Set) must go via the access point.
The access point is a layer 2 bridge (translation bridge) between the 802.11
network and the 802.3 network.
Rick Graziani [email protected]
13
802.11 MAC
Addressing
The BSSID
X
xxx
Y
Distribution System (DS)
Access Point 1
A
General 802.11 Frame
aaa
Access Point 2
111
B
C
D
bbb
• Each BSS is assigned a BSSID.
•
•
•
– Not to be confused with SSID or ESSID.
BSSID – 48 bit identifier which distinguishes it from other BSSs in the
network, used for filtering.
In a BSS, the BSSID is the MAC address of the wireless interface.
Remember, normal switches (bridges) may have MAC addresses, but
these addresses are only used for management purposes and not for
layer 2 frame forwarding (addressing).
Rick Graziani [email protected]
14
802.11 MAC
Addressing
The BSSID
X
xxx
Y
Distribution System (DS)
Access Point 1
A
General 802.11 Frame
aaa
Access Point 2
111
B
C
D
bbb
• Besides the BSSID MAC address, the access point has a MAC
address for other interfaces.
– Ethernet (LAN)
– Ethernet (WAN)
– 802.11a for dual mode APs
Rick Graziani [email protected]
15
BSSID – Cisco 1200
MAC address for
AP’s IP address
(ARP tables)
BSSID
Rick Graziani [email protected]
BSSID for 802.11a WLAN
16
Linksys WRT54G
Router Information
•
IP Address: (received via DHCP)
•
MAC Address: 00:0F:66:09:4E:10
Local Network
•
MAC Address: 00:0F:66:09:4E:0F
•
IP Address: 192.168.1.1 MAC address for
AP’s IP address
Wireless
•
MAC Address: 00:0F:66:09:4E:11
•
SSID: GuidoNet2
•
DHCP Server: Enabled
•
Channel: 11
•
BSSID
Encryption Function: Enabled
Rick Graziani [email protected]
17
802.11 MAC
Addressing
Host A to Host B
X
xxx
Y
Distribution System (DS)
Access Point 1
A
General 802.11 Frame
aaa
Access Point 2
111
C
B
D
bbb
• Address 1 – Receiver address
• Address 2 – Transmitter address
• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID
• Transmitter: Sends a frame on to the wireless medium, but may not be
•
the original source (didn’t necessarily create the frame), i.e. AP
Receiver: Receives a frame on the wireless medium, but may not be
the final destination, i.e. AP
Rick Graziani [email protected]
18
802.11 MAC
Addressing
X
xxx
Y
Distribution System (DS)
Host A to Host B
Access Point 1
A
Host A to AP 1
1
Trans.
111
aaa
Rec.
Trans.
bbb
111
111
aaa
B
DA
bbb
C
D
bbb
0
AP1 to Host B
0
Rec.
Access Point 2
SA
aaa
1
• Address 1 – Receiver address
• Address 2 – Transmitter address
• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID
Rick Graziani [email protected]
19
802.11 MAC Addressing
Distribution System (DS)
IP Packet
General 802.11 Frame
L IP Packet
L
C
• Access Points are translation bridges.
• From 802.11 to Ethernet, and from Ethernet to 802.11
• The “data/frame body” is re-encapsulated with the proper layer 2 frame
(Ethernet or 802.11).
• RickCertain
addresses are copied between the two types of frames.
Graziani [email protected]
20
802.11 MAC
Addressing
X
xxx
Y
Distribution System (DS)
Host A to Host X
Access Point 1
A
aaa
Host A to AP 1
802.11 Frame
1
Rec.
Trans.
111
aaa
DA
Access Point 2
111
B
C
D
bbb
xxx
0
copied
Host A to AP 1
xxx
•
aaa
The Ethernet DA and SA are the source and destination addresses just like on
traditional Ethernet networks.
– Destination Address – Host X
– Source Address – Host A
Rick Graziani [email protected]
21
802.11 MAC
Addressing
X
xxx
Y
Distribution System (DS)
Host A to Host X
Access Point 1
A
aaa
Host A to AP 1
802.11 Frame
1
Rec.
Trans.
111
aaa
•
•
•
111
B
DA
C
D
bbb
xxx
copied
0
xxx
•
Access Point 2
aaa
Host A to AP 1
The AP (bridge) knows which MAC address on on its wireless interface and
maintains a table with those MAC addresses. (from the Association process – later)
When the AP receives an 802.11 frame, it examines the Address 3 address.
If Address 3 is not in its table of wireless MACs it knows it needs to translate the
frame to an Ethernet frame.
The AP copies the Address 3 address to the Ethernet Destination Address, and
Rick
Graziani [email protected]
22
Address
2 (Transmitter address) is copied to the Ethernet Source Address.
802.11 MAC
Addressing
Host X to Host A
X
xxx
Y
Distribution System (DS)
111
Access Point 1
Rick Graziani [email protected]
Access Point 2
A
B
aaa
bbb
C
D
23
802.11 MAC
Addressing
X
xxx
Y
Distribution System (DS)
Host X to Host A
Access Point 1
A
aaa
Host X to AP 1
aaa
Access Point 2
111
B
C
D
bbb
xxx
Destination Address –
Host X
Source Address – Host A
copied
AP 1 to Host A
802.11 Frame
0
Rec.
aaa
Trans.
111
SA
xxx
1
Rick Graziani [email protected]
24
802.11 MAC
Addressing
X
xxx
Distribution System (DS)
Host X to Host A
Access Point 1
aaa
Host X to AP 1
aaa
AP 1 to Host A
802.11 Frame
0
•
•
•
•
Y
Rec.
aaa
A
Trans.
111
111
B
C
D
bbb
xxx
copied
Access Point 2
SA
Destination Address –
Host X
Source Address – Host A
xxx
1
The AP (bridge) knows which MAC address on on its wireless interface and
maintains a table with those MAC addresses. (via Association process – later)
When the AP receives an Ethernet frame, it examines the Destination address.
If Destination Address is in its table of wireless MACs it knows it needs to translate the frame
to an 802.11 frame.
The AP copies the Destination address to the 802.11 Address 1, and Ethernet Source is
copied to the Address 3 address (SA in this case). (Flood out all ports unless in Source
Rick
Graziani [email protected]
25
Address
Table.)
802.11 MAC Addressing
xxx
1
2
xxx
aaa
111
aaa
• So how do Ethernet switches know where the wireless stations are?
• Just like wired stations – using the source address of frames that came
•
•
from the wireless station via the access point.
Here the switch learns from the incoming Ethernet frame that Source
Address aaa is on port 2 and enters that in its MAC address table.
Any frames coming into the switch (ex. port 1) with a Destination Address
of aaa, the switch knows to forward those frames out port 2 (towards the
AP).
Rick Graziani [email protected]
26
LLC – Logical Link Control
General 802.11 Frame
L IP Packet
L
C
• The IP Packet is in an LLC frame which is encapsulated in a MAC frame.
• 802.11 does not include a protocol type field.
• An 8 byte SNAP field is added to the LLC to indicate the layer 3 data
•
being carried in the data field.
The rest of the information within the LLC is not really relevant.
Rick Graziani [email protected]
27
LLC – Logical Link Control
• The only word of caution is that there are two types of LLC
•
encapsulation, RFC 1042 and 802.1h.
On a rare occasion, you might find a problem with a client associating
to an AP when their LLCs do not match.
Rick Graziani [email protected]
28
LLC – Logical Link Control
Rick Graziani [email protected]
29
802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco
Client Adapters
• (Separate Presentation)
• 2.1 Online Curriculum
– 802.11 Standards
• Overview of WLAN Topologies
– IBSS
– BSS
– ESS
– Access Points
• 802.11 Medium Access
Mechanisms
– DCF Operations
– Hidden Node Problem
– RTS/CTS
– Frame Fragmentation
Rick Graziani [email protected]
• 2.4 – 2.6 Online Curriculum
– Client Adapters
– Aironet Client Utility (ACU)
– ACU Monitoring and
Troubleshooting Tools
Part 2 – 802.11 MAC
• 802.11 Data Frames and
Addressing
• 802.11 MAC Layer Operations
– Station Connectivity
– Power Save Operations
– 802.11 Frame Formats
• Non-standard devices
30
802.11 MAC Layer Operations
Station Connectivity
Power Save Operations
802.11 Frame Formats
Station Connectivity
Rick Graziani [email protected]
32
Station Connectivity
• Earlier we stated, at a minimum a client station and the access point
•
•
•
•
•
must be configured to be using the same SSID.
How does the client find these APs?
Before connecting to any network, you must find it.
Ethernet, the cable does that for you, but of course there is no cable
with wireless.
There are various applications and utilities that will do it, but what is
actually happening in the 802.11 MAC operations?
Let’s take a look…
Rick Graziani [email protected]
33
Station Connectivity
Successful
Authentication
State 1
Unauthenticated
Unassociated
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• Station connectivity is a explanation of how 802.11 stations select and
communicate with APs.
Rick Graziani [email protected]
34
Station Connectivity
Probe
process
Authentication
process
Successful
Authentication
State 1
Unauthenticated
Unassociated
Association
process
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• We will look at three processes:
•
– Probe Process (or scanning)
– The Authentication Process
– The Association Process
Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected]
35
Station Connectivity – Probe Process
• The Probe Process (Scanning)
done by the wireless station
– Passive - Beacons
– Active – Probe Requests
• Depends on device drive of wireless
adapter or the software utility you are
using.
• Cisco adapters do active scanning
when associating, but use passive
scanning for some tests.
• In either case, beacons are still
received and used by the wireless
stations for other things besides
scanning (coming).
Rick Graziani [email protected]
36
Station Connectivity – Passive Scanning
• Passive Scanning
•
•
– Saves battery power
– Station moves to each channel and
waits for Beacon frames from the
AP.
– Records any beacons received.
Beacon frames allow a station to find
out every thing it needs to begin
communications with the AP including:
– SSID
– Supported Rates
Kismet/KisMAC uses passive scanning
Rick Graziani [email protected]
37
Station Connectivity – Passive Scanning
Rick Graziani [email protected]
38
Station Connectivity – Passive Scanning
Note: Most of these
beacons are
received via normal
operations and not
through passive
scanning.
Rick Graziani [email protected]
39
Station Connectivity – Passive Scanning
• Passive scans, carried out by listening to Beacons from APs, are not
•
•
•
•
usually displayed by a network analyzer (Ethereal, Airopeek, etc.) but
can be.
Microsecond – millionth of a second
Millisecond – thousandth of a second
A common beacon interval is 100 time units.
Beacon interval is the number of time units between beacon
transmissions.
– One unit of time is 1,024 microseconds or about 1 millisecond.
– A beacon interval of 100 is equivalent to 100 milliseconds or 0.1
seconds.
– That would be 10 beacons per second.
Rick Graziani [email protected]
40
Setting the beacon interval on an AP (later)
Rick Graziani [email protected]
41
Rick Graziani [email protected]
42
Station Connectivity – Passive Scanning
• AP features (options)
•
– The SSID can be “hidden” or “cloaked” in the beacon frame (can
be done on Cisco APs)
– Do not send AP broadcast beacons (not an option with Cisco APs)
From some mailing lists:
– “SSID cloaking and beacon hiding isn't necessarily a bad thing, but too
many places use it as the only protection because it leads to a false sense
of security.”
– “Obscurity != security. Too many companies blindly trust that no beaconing
or hiding their SSID means they're automatically safe.”
Rick Graziani [email protected]
43
Station Connectivity – Active Scanning
•
•
Active Scanning: Probe Request
– This process is not mandatory on with
802.11.
– A Probe Request frame is sent out on
every channel (1 – 11) by the client.
– APs that receive Probe Requests must
reply with a Probe Response frame if:
• SSID matches or
• Probe Request had a broadcast
SSID (0 byte SSID)
NetStumber uses active scanning
From the client
Rick Graziani [email protected]
44
From the client
Source address is
the client (host)
The SSID can also
be a broadcast
SSID which
triggers a Probe
Response from all
APs in the area.
Rick Graziani [email protected]
45
Station Connectivity – Active Scanning
•
•
Active Scanning: Probe Response
– On BSSs the AP is responsible for
replying to Probe Requests with Probe
Responses.
– Probe Responses are unicast frames.
– Probe Responses must be
ACKnowledged by the receiver (client).
Like a beacon, Probe Response frames
allow a station to find out every thing it needs
to begin communications with the AP
including:
– SSID
– Supported Rates
1
3
2
From the AP
Rick Graziani [email protected]
46
From the AP
Destination Address is the
client who issued the Probe
Request
Source address is the AP
(same as the BSSID)
• The beacon contains certain
information that lets a station
know if it can continue to
attempt to join this network:
– SSID
– Supported Rates
– Privacy:
– WEP
– None (open)
Rick Graziani [email protected]
47
Capturing the Probe
Response
Rick Graziani [email protected]
48
Station Connectivity – Multiple APs
Most likely Vivian will
communicate with AP 2,
which matches her SSID
and has the stronger
signal strength.
• How a station chooses an AP is not specified in 802.11.
• It is left up to the vendor.
• It could be, Matching SSIDs, Signal Strength, Supported data rates.
Rick Graziani [email protected]
49
Station Connectivity
Hey, I didn’t
do anything
and I am on
the Internet!
No SSID
Probe Request
Broadcast (no) SSID
ACK
•
•
•
Probe Response
SSID = tsunami
Access Points can be configured whether or not to allow clients with broadcast
SSIDs to continue the connectivity process.
– If there is no authentication on the AP, then the client will most likely
“associate” and be on their network!
Cisco APs use a default SSID of tsunami known as the “guest mode” SSID.
(coming)
Unless this feature is disabled or authentication is enabled, anyone can easily
associate with your AP and access your network (or the Internet).
Rick Graziani [email protected]
50
Station Connectivity
Probe
process
Authentication
process
Successful
Authentication
State 1
Unauthenticated
Unassociated
Association
process
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• Station connectivity processes:
•
– Probe Process (or scanning)
– The Authentication Process
– The Association Process
Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected]
51
Authentication Process
• On a wired network, authentication is implicitly provided by the
•
•
physical cable from the PC to the switch.
Authentication is the process to ensure that stations attempting to
associate with the network (AP) are allowed to do so.
802.11 specifies two types of authentication:
– Open-system
– Shared-key (makes use of WEP)
Rick Graziani [email protected]
52
Authentication Process – Open-System
• Open-system authentication really “no authentication”.
• Open-system authentication is the only method required by 802.11
•
– You could buy an AP that doesn’t support Shared-key
The client and the station exchange authentication frames.
Rick Graziani [email protected]
53
Frame Control omitted in this Authentication Response
• The client:
•
– Sets the Authentication Algorithm Number to 0 (open-system)
– Set Authentication Transaction Sequence Number to 1
The AP:
– Sets the Authentication Algorithm Number to 0 (open-system)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
Rick Graziani [email protected]
54
Authentication Process – Shared-Key
•
•
•
•
•
Shared-key authentication uses WEP (Wired Equivalent Privacy) and can
only be used on products that support WEP.
WEP is a Layer 2 encryption algorithm based on the RC4 algorithm.
802.11 requires any stations that support WEP to also support shared-key
authentication.
WEP and WPA will be examined more closely when we discuss security.
For now both the client and the AP must have a shared-key, password.
Rick Graziani [email protected]
55
Authentication Process – Shared-Key
•
•
•
•
The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 1
The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
– Challenge Text (later)
The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 3
– Challenge Text (later)
The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 4
– Status Code set to 0 (Successful)
Rick Graziani [email protected]
56
Authentication Process
• We’ll look at the configuration of the client and AP later!
• Example of open-system authentication.
• Note: On “some” systems you can configure authentication (WEP) and
WEP encryption separately. On the ACU you can have open-system
authentication and also have WEP encryption. However, if you have
Shared-key (WEP) authentication, you must use WEP encryption.
Rick Graziani [email protected]
57
Authentication Process
or
•
Authentication
– Open-System
– Shared-Key (WEP)
•
Encryption
– None
– WEP
Rick Graziani [email protected]
only
58
Station Connectivity
•
•
•
Hey, I REALLY
didn’t do
anything and I
am on the
Internet!
Beacon
SSID = tsunami
Authentication
Request
Authentication
Response
(Open-system)
If not configured specifically to look for a network, some client utilities
will automatically join the network that meets their vendor’s criteria (not
specified in 802.11) such as signal strength and open-system
authentication.
How a station chooses an AP is not specified in 802.11.
Or just find the open-system network and join.
Rick Graziani [email protected]
59
Station Connectivity
Probe
process
Authentication
process
Successful
Authentication
State 1
Unauthenticated
Unassociated
Association
process
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• Station connectivity processes:
•
– Probe Process (or scanning)
– The Authentication Process
– The Association Process
Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected]
60
Association Process
1. Association Request
2. Association Response
• The association process is logically equivalent to plugging into a wired
•
•
•
•
network.
Once this process is completed, the wireless station can use the DS
and connect to the network and beyond.
A wireless station can only associate with one AP (802.11 restriction)
During the 802.11 association process the AP maps a logical port
known as the Association Identifier (AID) to the wireless station.
– The AID is equivalent to a port on a switch and is used later in
Power Save Options.
The association process allows the DS to keep track of frames
destined for the wireless station, so they can be forwarded.
Rick Graziani [email protected]
61
Association Process
•
•
Association Request Frame (From client)
– Listen Interval – This value is used by the Power Save Operation (later).
Informs AP how often it will wake-up to receive buffered frames.
– Supported Rates – What data rates the client station supports.
Association Response Frame (From AP)
– Status Code – Indicates success or reason for failure.
– AID – A value assigned to this station for the Power Save Operation (later).
– Supported Rates - What data rates the AP supports.
Rick Graziani [email protected]
62
Association Process
• Association Request Frame (From client)
– At this point the AP adds the source address of the wireless client
to its Source Address Table.
– This is how the AP knows to forward frames destined to the client
out the wireless interface (802.11) and not the wired interface
(802.3/Ethernet).
– The AP usually learns the wireless client’s Source Address sooner,
either in the Probe Request or Authentication Request frames, but
this is where is “officially” adds the wireless client to it MAC table.
Rick Graziani [email protected]
63
Station Connectivity
Probe
process
Authentication
process
Successful
Authentication
State 1
Unauthenticated
Unassociated
Association
process
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• Traffic can now flow between the client and the AP.
• Disassociation and deauthentication can be due to:
–
–
–
–
Inactivity
The AP cannot handle all currently associated stations
Station has left BSS
etc.
Rick Graziani [email protected]
64
Labs and Station Connectivity
Configuring
AP1 is easy!
Hey, what
happened to my
settings on AP2!
AP1
AP2
• In the lab we will need to take steps to make sure you are configuring
•
and connected to the AP that you think you are!
We will first connect via a wired interface, change the SSID and IP
addressing on the AP, different from what the labs show.
Rick Graziani [email protected]
65
802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco
Client Adapters
• (Separate Presentation)
• 2.1 Online Curriculum
– 802.11 Standards
• Overview of WLAN Topologies
– IBSS
– BSS
– ESS
– Access Points
• 802.11 Medium Access
Mechanisms
– DCF Operations
– Hidden Node Problem
– RTS/CTS
– Frame Fragmentation
Rick Graziani [email protected]
• 2.4 – 2.6 Online Curriculum
– Client Adapters
– Aironet Client Utility (ACU)
– ACU Monitoring and
Troubleshooting Tools
Part 2 – 802.11 MAC
• 802.11 Data Frames and
Addressing
• 802.11 MAC Layer Operations
– Station Connectivity
– Power Save Operations
– 802.11 Frame Formats
• Non-standard devices
66
Power Save (PS) Operations
• A key factor in wireless is mobility, which implies batteries.
• To preserve battery power the 802.11 specification provides for power
•
saving operations on the wireless clients.
802.11 categories for power savings refer to:
– Unicast frames
– Broadcast/Multicast frames
Rick Graziani [email protected]
67
Power Save (PS) Operations
• The Cisco ACU has three options for Power Saving:
•
– CAM (Constantly Awake Mode)
– MAX PSP (Max Power Savings)
– Fast PSP (Fast Power Saving Mode)
More on this later.
Rick Graziani [email protected]
68
Power Save (PS) Operations
I’m awake. Let me listen for a
beacon to see if there is any
traffic for me.
If not, I can go back to sleep.
beacon
• A client enters low-power mode by turning off its radio.
• The AP buffers (holds) frames destined for that station while it is in PS
•
•
•
mode.
At a certain interval the client wakes up to listen for a beacon from the
AP.
The beacon contains information on whether or not there are frames
for this station at the AP.
If there are no frames buffered for this station it can return to PS mode.
Rick Graziani [email protected]
69
Power Save (PS) Operations
There are frames for me!
Please send them to me.
Beacon (frames buffered)
PS-Poll (send them to me)
Frame 1
ACK
The basics:
• If there are frames buffered for this station it will poll the AP for those
frames.
• The AP will then send the frames to the station.
Rick Graziani [email protected]
70
Unicast Power Save Operations
1. Association Request
2. Association Response
•
•
•
When a client associates with an AP it specifies listen interval.
Listen interval – The number of beacons the client waits while in sleep mode
before transitioning to active (awake) mode.
The number of beacons per second may vary between APs, but the beacon
frame has told the client how often those beacons are sent with the beacon
interval, so the client knows when it needs to wake up.
Rick Graziani [email protected]
71
Unicast Power Save Operations
There are frames for me!
Please send them to me.
Beacon (frames buffered)
PS-Poll (send them to me)
Frame 1
ACK
• For example:
– If the listening interval on the client is 200 the client wakes up
every 200 beacons.
– If the AP beacon interval is 100 (10 beacons per second)
– The client will wake up every 20 seconds.to see if there are any
frames buffered for it.
Rick Graziani [email protected]
72
Power Save (PS) Operations
• How does an AP know if a station is in PS mode?
• Various frames contain this information, from the Station Connectivity
Process, PS-Polling and Data Frames as the user may change this
status any time.
• This information is contained in the Power Management sub-field of
the Frame Control field which is in most 802.11 frames.
– 0 = Active mode, 1 = Power Save Mode
– Frames
from AP always have a value of 0 (it cannot sleep)
Rick Graziani
[email protected]
73
Power Save (PS) Operations
Rick Graziani [email protected]
74
FYI –
A little more detail on Unicast PS Operations
The AP tells
me I am AID
29.
1. Association Request
2. Association Response
AID = 29
• Remember the Association Identifier (AID) in the Association
•
•
•
Response, equivalent to a port on a switch.
Each station receives a unique AID during the association phase.
The TIM (Time Indication Map) in the beacon tells the station if there
are any frames buffered for it in the AP.
If the “flag” = 0 there are no frames buffered, “flag” = 1 there are frames
being buffered.
Rick Graziani [email protected]
75
FYI –
A little more detail on Unicast PS Operations
The AP told
me I am AID
29. I see in
the beacon
that there
are frames
waiting for
me. Let me
ask for
them.
During Assoc.
Process
1. Association Request
2. Association Response
AID = 29
Beacon
PS-Poll (send them to me)
Frame 1
ACK
• The station sends a PS-Poll with is AID to get the frames.
• Much of the detail has been left out and if you are interested, see the
two books I recommended at the beginning of the presentation.
Rick Graziani [email protected]
76
FYI –
A little more detail on Unicast PS Operations
Rick Graziani [email protected]
77
FYI –
A little more detail on Unicast PS Operations
• You won’t find an exact match here between the protocol decode and
•
the TIM.
See the Cisco Press book 802.11 Wireless LAN Fundamentals if you
are interested in how this works.
Rick Graziani [email protected]
78
Broadcast/Multicast Power Save Operations
•
Broadcast and multicast traffic is buffered at the AP for all stations (including
non-PS stations) when at least one associated station is in PS mode.
• The network administrator defines the interval for the client to wake up to
receive broadcast and multicast traffic.
• A special TIM, known as a DTIM (Delivery Traffic Indication Map) indicates
whether or not there is broadcast/multicast traffic buffered on the AP.
• If the TIM’s, DTIM Count field is 0, the AP has broadcast/multicast frames.
• DTIM information is not sent in every beacon, but on every DTIM count
period (10th beacon in this example), and “getting in sync” depends on
vendor.
•Rick Rest
of details can be found in Matthew Gast’s book if you are interested.
Graziani [email protected]
79
802.11 Frame Formats
802.11 Frame Formats (Some of them)
•
The following diagrams are FYI and from Cisco Press book 802.11 Wireless LAN
Fundamentals by Pejman Roshan and Jonathan Leary.
802.11 Frames
• Data Frames (most are PCF)
– Data
– Null data
– Data+CF+Ack
– Data+CF+Poll
– Data+CF+Ac+CF+Poll
– CF-Ack
– CF-Poll
– CF-Cak+CF-Poll
• Control Frames
– RTS
– CTS
– ACK
– CF-End
– CF-End+CF-Ack
Rick Graziani [email protected]
•
Management Frames
– Beacon
– Probe Request
– Probe Response
– Authentication
– Deauthentication
– Association Request
– Association Response
– Reassociation Request
– Reassociation Response
– Disassociation
– Announcement Traffic Indication
81
802.11 Data Frame
Rick Graziani [email protected]
82
Rick Graziani [email protected]
83
Rick Graziani [email protected]
84
Rick Graziani [email protected]
85
Non-standard 802.11 Devices
Non-standard 802.11
devices
•
These devices either
extend or fall outside the
802.11 standard and will
be discussed in more
detail in later sections:
– Repeater APs
– Universal Clients
(Workgroup Bridges)
– Wireless Bridges
Rick Graziani [email protected]
87
Ch. 2 – 802.11 and NICs
Part 2 – 802.11 MAC
Cisco Fundamentals of Wireless LANs version 1.1
Rick Graziani
Cabrillo College