[转载] Association and Authentication

转自 https://blog.csdn.net/sinat_20059415/article/details/88360493

前言：看自己抓的WiFi连接的包前面还有几类包的交互，学习下是干什么的。

• Probe Request/Response（主动scan,区别于beacon 被动scan）
• Authentication
• Association Request/Response

 

参考：

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11_Association_process_explained

https://wifibond.com/2017/04/08/802-11-association-process/

https://www.packet6.com/802-11-state-machine/

 

An access point acts as hub between station(client device) and other devices on the network. Before the station can send traffic through an access point, it must have established a connection state.

There are three 802.11 connection states:

State 1: Unauthenticated and Unassociated

State 2: Authenticated, Unassociated

State 3: Authenticated, Associated

The station must be in an authenticated and associated state before connection is established.

The station and AP will exchange a series of 802.11 management frames in order to get to an authenticated and associated state.

接入点充当STA（客户端设备）与网络上的其他设备之间的集线器。 在STA可以通过接入点发送流量之前，它必须已建立连接状态。

有三种802.11连接状态：

状态1：未经认证和无关联

状态2：经过身份验证，无关联

状态3：经过身份验证，关联

在建立连接之前，站必须处于经过身份验证和关联的状态。

该站和AP将交换一系列802.11管理帧，以便进入经过验证和关联的状态。

Beacons: The access point periodically sends a beacon frame to announce its presence and relay many information that is required by the stations to connect to the wireless network

信标：接入点周期性地发送信标帧以宣告其存在并且中继站点连接到无线网络所需的许多信息

Probe Request: A station sends probe requests to discover 802.11 networks within its proximity. Probe requests advertise the stations supported data rates and 802.11 capabilities such as 802.11n.

探测请求：站发送探测请求以发现其附近的802.11网络。 探测请求通告了站支持的数据速率和802.11n等802.11功能。

Probe Response:  Access point receiving the probe request check to see if the station has at least one common supported data rate. If they share a common data rate, a probe response is sent advertising the SSID, supported data rates, encryption types if required, and other 802.11 capabilities of the access point.

探测响应：接收探测请求的接入点检查以查看该站是否具有至少一个公共支持的数据速率。 如果它们共享公共数据速率，则发送探测响应，通告SSID，支持的数据速率，加密类型（如果需要）以及接入点的其他802.11功能。

Authentication Request:   The station chooses a SSID/network from the probe responses it receives. It also checks the compatibility on encryption type. Once compatible networks are discovered the station will attempt low-level 802.11 authentication with compatible access points. The station sends a low-level 802.11 authentication frame to an AP setting the authentication to open and the sequence to 0x0001.

身份验证请求：工作站从其接收的探测响应中选择SSID /网络。 它还检查加密类型的兼容性。 一旦发现兼容网络，该站将尝试使用兼容的接入点进行低级别802.11认证。 该站向AP发送低级别802.11认证帧，将认证设置为打开，序列为0x0001。

Authentication Response: The access point receives the authentication frame and responds to the station with authentication frame set to open indicating a sequence,  If an access point receives any frame other than an authentication or probe request from a station that is not authenticated it will respond with a deauthentication frame placing the mobile into an unauthenticated an unassociated state. The station will have to begin the association process from the low level authentication step. At this point the station is authenticated but not yet associated.

认证响应：接入点接收认证帧并响应sta，认证帧设置为打开，指示序列。如果接入点从未经认证的站接收到除认证或探测请求之外的任何帧，它将响应 取消认证并将移动设备置于未经验证的无关联状态。 该站必须从低级认证步骤开始关联过程。 此时，该站已通过身份验证，但尚未关联。

Association Request : Once the station determines which access point it would like to associate to, it will send an association request to that access point.The association request contains chosen encryption types and other compatible 802.11 capabilities.

关联请求：一旦站确定了它想要关联的接入点，它就会向该接入点发送关联请求。关联请求包含所选的加密类型和其他兼容的802.11功能。

Association Response: If the elements of association request match the capabilities of the access point, it will create an Association ID for the mobile station and  respond with an association response with a success message granting network access to the mobile station.

关联响应：如果关联请求的成分与接入点的能力匹配，则它将为移动台创建关联ID，并用关联响应进行响应，将授予对移动台的网络接入的成功消息发给sta。

Data:  At this stage the connection is established and the station is successfully associated to the access point and is ready for data transfer

数据：在此阶段建立连接，并且站成功与接入点关联，并准备好进行数据传输

 

另外一篇讲的一样的https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11_Association_process_explained

Access points are bridges that bridge traffic between mobile stations and other devices on the network. Before a mobile station can send traffic through an AP, it must be in the appropriate connection state.

 

The three 802.11 connection states are:

• Not authenticated or associated.
• Authenticated but not yet associated.
• Authenticated and associated. 

A mobile station must be in an authenticated and associated state before bridging will occur.

The mobile station and AP will exchange a series of 802.11 management frames in order to get to an authenticated and associated state.

 

 

 

A mobile station starts out as not authenticated and associated.

 

1. A mobile station sends probe requests to discover 802.11 networks within its proximity. Probe requests advertise the mobile stations supported data rates and 802.11 capabilities such as 802.11n. Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's  that receive it will respond.

1.移动台发送探测请求以发现其附近的802.11网络。 探测请求通告移动台支持的数据速率和802.11n等802.11功能。 因为探测请求是从移动台发送到目标第2层地址和BSSID的ff：ff：ff：ff：ff：ff所有接收它的AP都会响应。

2. APs receiving the probe request check to see if the mobile station has at least one common supported data rate. If they have compatible data rates, a probe response is sent advertising the SSID (wireless network name), supported data rates, encryption types if required, and other 802.11 capabilities of the AP. 

  A mobile station chooses compatible networks from the probe responses it receives. Compatibility could be based on encryption type. Once compatible networks are discovered the mobile station will attempt low-level 802.11 authentication with compatible APs. Keep in mind that 802.11 authentication is not the same as WPA2 or 802.1X authentication mechanisms which occur after a mobile station is authenticated and associated. Originally 802.11 authentication frames were designed for WEP encryption however this security scheme has been proven to be insecure and therefore deprecated. Because of this 802.11 authentication frames are open and almost always succeed. 

2.接收探测请求的AP检查移动台是否具有至少一个共同支持的数据速率。 如果它们具有兼容的数据速率，则发送探测响应，通告SSID（无线网络名称），支持的数据速率，加密类型（如果需要）以及AP的其他802.11功能。

移动台从它接收的探测响应中选择兼容的网络。 兼容性可以基于加密类型。 一旦发现兼容网络，移动台将尝试使用兼容的AP进行低级别802.11认证。 请记住，802.11身份验证与WPA2或802.1X身份验证机制不同，后者是在对移动台进行身份验证和关联后发生的。 最初的802.11认证帧是为WEP加密而设计的，但是这种安全方案已被证明是不安全的，因此不予推荐。 由于这种802.11认证框架是开放的，几乎总是成功。

3. A mobile station sends a low-level 802.11 authentication frame to an AP setting the authentication to open and the sequence to 0x0001.

3.移动台向AP发送低级别802.11认证帧，设置认证打开，序列为0x0001。

4. The AP receives the authentication frame and responds to the mobile station with authentication frame set to open indicating a sequence of 0x0002.

  If an AP receives any frame other than an authentication or probe request from a mobile station that is not authenticated it will respond with a deauthentication frame placing the mobile into an unauthenticated an unassociated state. The station will have to begin the association process from the low level authentication step. At this point the mobile station is authenticated but not yet associated. Some 802.11 capabilities allow a mobile station to low-level authenticate to multiple APs. This speeds up the association process when moving between APs. A mobile station can be 802.11 authenticated to multiple APs however it can only be actively associated and transferring data through a single AP at a time.  

4.AP接收认证帧并响应移动台，认证帧设置为打开，指示序列0x0002。

   如果AP从未经认证的移动台接收除认证或探测请求之外的任何帧，则它将以解除认证帧进行响应，从而将移动设备置于未经认证的无关联状态。 该站必须从低级认证步骤开始关联过程。 此时，移动台被认证但尚未关联。 某些802.11功能允许移动台对多个AP进行低级别身份验证。 这在AP之间移动时加速了关联过程。 移动台可以通过802.11认证到多个AP，但是它一次只能主动关联并通过单个AP传输数据。

5. Once a mobile station determines which AP it would like to associate to, it will send an association request to that AP. The association request contains chosen encryption types if required and other compatible 802.11 capabilities.

If an AP receives a frame from a mobile station that is authenticated but not yet associated, it will respond with a disassociation frame placing the mobile into an authenticated but unassociated state. 

5.一旦移动台确定它想要关联哪个AP，它就会向该AP发送关联请求。 关联请求包含所选的加密类型（如果需要）和其他兼容的802.11功能。

如果AP从经过验证但尚未关联的移动台接收到帧，则它将以解除关联帧进行响应，从而将移动台置于经过验证但未关联的状态。

 6. If the elements in the association request match the capabilties of the AP, the AP will create an Association ID for the mobile station and  respond with an association response with a success message granting network access to the mobile station.  

6.如果关联请求中的元素与AP的能力匹配，则AP将为移动台创建关联ID，并用关联响应进行响应，其中成功消息准许对移动台的网络接入。

7. Now the mobile station is successfully associated to the AP and data transfer can begin.

7.现在移动台成功地与AP相关联，并且可以开始数据传输。

Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is complete.

注意：如果无线网络上需要WPA / WPA2或802.1X身份验证，则在802.11关联完成后进行动态键控和身份验证之前，移动台将无法发送数据。

 

下面这篇写的更好一些，但是总是刷新不全图。。。https://www.packet6.com/802-11-state-machine/

802.11 State Machine – Association and Authentication

September 29, 2015 by Rowell Dionicio 3 Comments

In the wired world, to connect to the network you would plug in your Ethernet cable into the switch. In the wifi world, you must connect to the access point. The process of connecting to an access point is called the 802.11 State Machine.

How does the station (STA) and access point agree to this connection?

I’m going to attempt to break it down step-by-step on this post.

在有线世界中，要连接到网络，您可以将以太网电缆插入交换机。 在wifi世界中，您必须连接到接入点。 连接到接入点的过程称为802.11状态机。

站（STA）和接入点如何同意此连接？

我将尝试在这篇文章中逐步分解它。

802.11 State Machine

In my example, I have one STA connecting to an open SSID. The summary of it all is as follows:

1. STA is unauthenticated and unassociated
2. STA becomes authenticated and unassociated
3. STA becomes authenticated and associated
4. STA clears security requirements such as 802.1X, if required

在我的示例中，我有一个STA连接到一个打开的SSID。 总结如下：

1.      STA未经身份验证且无关联
2.      STA变得经过身份验证且无关联
3.      STA变得经过身份验证和关联
4.      如果需要，STA会清除802.1X等安全要求

 

Beacon/Probe

The STA begins the process by performing a passive or active scan. In the passive mode, the STA is listening for beacons from an access point. The beacon frame contains the BSSID which is the MAC address of the radio sourcing from the access point.

STA通过执行被动或主动扫描来开始该过程。 在被动模式中，STA正在侦听来自接入点的信标。 信标帧包含BSSID，BSSID是从接入点获取的无线电的MAC地址。

Wireshark capture of a beacon frame.

The beacon frame is a type of management frame defined in 802.11-2007. It includes capability information and parameters.

Wireshark捕获信标帧。

信标帧是802.11-2007中定义的一种管理帧。 它包括功能信息和参数。

 

Active Scan / Probe

A probe is sourced from the STA requesting to join a wireless network. This is a probe request management frame. The probe is responded by an access point using a probe response management frame.

In the probe request you will find the parameters as shown below. This is an example probe request from a STA broadcasted to any access point that can respond. The wireless network requested is eduroam.

探测器来自STA，请求加入无线网络。 这是一个探测请求管理框架。 使用探测响应管理帧由接入点响应探测。

在探测请求中，您将找到如下所示的参数。 这是来自广播到可以响应的任何接入点的STA的示例探测请求。 请求的无线网络是eduroam。

 

Authentication

The probing/scanning phase is part of the unauthenticated and unassociated step. The STA has not authenticated with the access point and also is not associated with the access point. Think of authentication as plugging a computer into a port on a switch.

The STA must be authenticated to the access point before it is associated. It sounds backwards. These are the two states in this phase and it must be done in this order.

A STA can be in either two states in Authentication and Association:

• Unauthenticated or authenticated.
• Unassociated or associated.

探测/扫描阶段是未经验证和无关联步骤的一部分。 STA尚未通过接入点进行身份验证，也未与接入点关联。 将身份验证视为将计算机插入交换机上的端口。

STA必须在关联之前对接入点进行身份验证。 听起来倒退了。 这是这个阶段的两个状态，必须按此顺序完成。

STA可以在身份验证和关联中处于两种状态：

     未经身份验证或经过身份验证。
     无关联或相关联。

To begin the Authentication step, the STA sends an Authentication wireless management frame to the access point. The access point responds with an Acknowledgement frame.

为了开始认证步骤，STA向接入点发送认证无线管理帧。 接入点以确认帧响应。

Authentication frame sent to AP

Notice above, the Authentication Sequence is set to a state of 1.

The access point will acknowledge the Authentication frame from the STA and upon successful authentication, the access point will send an authentication frame to the STA with an Authentication Sequence with a State of 2, for success.

 

Access point sends an Authentication frame with a state of 2, for Successful.

Open System and Shared Key

If you noticed in the above successful authentication frame, the Authentication Algorithm was set to Open System. There are two types of methods for authentication.

• Open System
• Shared Key

Open System performs no client verification. This is the method used with SSIDs utilizing WPA, WPA2, and those with no password.

Shared Key uses a passphrase and contains a 4-way handshake for authentication. The STA sends a request to authenticate, access point receives the request and sends back a cleartext challenge, the STA encrypts and sends another authentication request based on the cleartext challenge and then the access point compares the STA’s challenge to the text. If successful, the STA is authenticated.

Open System不执行客户端验证。 这是与使用WPA，WPA2和没有密码的SSID一起使用的方法。

共享密钥使用密码并包含4次握手进行身份验证。 STA发送认证请求，接入点接收请求并发回明文质询，STA基于明文质询加密并发送另一个认证请求，然后接入点将STA的质询与文本进行比较。 如果成功，则STA被认证。

Association

Once the STA is authenticated to the access point, the next step is to become Associated. The Association occurs after the Shared Key Authentication or Open System Authentication Algorithm. There cannot be a STA that is Associated but not Authenticated. If the STA fails Authentication, it does not move to Association.

After the the access point sends an Acknowledgement to the STA’s Authentication Response, the STA sends an Association Request.

The Association Request is Acknowledged by the access point which then sends an Association Response frame to the STA.

If the association is successful, the access point’s Association Response frame will contain a Status code: Successful.

一旦STA被认证到接入点，下一步就是成为关联的。 协会发生在共享密钥身份验证或开放系统身份验证算法之后。 不能存在关联但未经过身份验证的STA。 如果STA未通过身份验证，则不会移至关联。

在接入点向STA的认证响应发送确认之后，STA发送关联请求。

接入点确认关联请求，然后接入点向STA发送关联响应帧。

如果关联成功，则接入点的关联响应帧将包含状态代码：成功。

 

The details within an Association Response include:

• Capabilities Information such as
  • Supported Data Rates
  • HT Capabilities
  • HT Information such as the Primary Channel
  • WMM information
• And more..

If the Status code is anything other than Successful, then the STA is deauthenticated.

Summary

The example above uses a STA that is trying to connect to a wireless network for the first time. The SSID is called TEST and does not have a password set up.

The STA probes for the SSID, moves into Authentication, transitions into Association, and is then successfully Authenticated and Associated. This last part indicates the STA can now send data wirelessly on the TEST network.

Below are the states a station cycles through to join a BSS:

1. Unauthenticated and Unassociated.
2. Authenticated but Unassociated.
3. Authenticated and Associated.