dslreports logo
    All Forums Hot Topics Gallery


Search Topic:
share rss forum feed



An authentication frame from an already associated station.

Hi everyone!

This is my first post here but hopefully someone can help me in my sophisticated security problems concerning about 802.11 network.

Here is a simple situation. Let's suppose we have an access point (AP) and a station (STA) and a WPA2 for security but the chosen security system isn't an issue here. The STA has made correctly all authentications and associations that is needed before it can send and receive a data via the AP. Then the AP get an authentication frame (precisely an open system authentication because the WPA2 was used) from the STA or at least it looks like it's coming from the STA because of its MAC address.

What does the AP do in this situation? Does it just ignore the authentication frame or does it start the association process again and send the authentication frame to the STA and then keep waiting an association request frame etc.?

The main concern here is that doing either way it looks like there is a security problem. Lets suppose first that the AP always ignore the frame in above situation. When the STA wants to leave from the AP it sends an deauthentication frame. If there is an attacker doing jamming attack near the AP so that the AP can't get the deauthentication frame it can't also send back an acknowledgement frame to the STA. The STA makes some resend and finally leave anyway. However from the AP point of view the STA is still associated. If the STA soon comes back and start the association process again and send the authentication frame to the AP it just ignore that! The STA can't anymore associate to the AP.

The other option was that the AP always accept the authentication frame but this is even more dangerous choice! The attacker can spoof the MAC address and send the authentication frame behalf the STA to the AP and the AP start the association process again from beginning. The STA have to again spend time to this process instead of sending or receiving a data normally.

So, what the access point is doing when it get the authentication frame from the station that is already associated? How the AP defends against the problem that comes because of the chosen solution? Is there in the AP some timer when counting to zero without getting any frame from the STA it is assumed to leave? Is there some frame that the STA sends time to time to the AP just telling it's alive? As far as I know there isn't that kind of frame in the 802.11 network and there might also arise some problems if timer is used.

Thanks in advance for your solutions and ideas!

(I am sorry about my bad English but I hope you got the point.)

Two suggestions, a) read up on the RFC, or b) (if you're a geek at heart) try it out yourself.

It's been awhile since I've done any wireless, but your three basic states are unathenticate / unassociated ->
authenticated / unassociated -> authenticated / associated. Basically you're asking during the
authenticated / associated state, what happens if an authentication frame is seen?



You understood right what I was meaning but maybe I should have clarified myself a little better. I am working on my thesis in a university and my previously described problems pop up in to my mind when I was studying the 802.11 standard (IEEE Std. 802.11-2007) that specify the 802.11 network.

I am familiar with these three states and transitions between them. And I also know that only some of all possible frames are allowed in these three states. For example the data frame is allowed only from stations that are in state three. If the AP get the data frame from stations that is in state one, the AP disallow the received data frame and sends the deauthentication frame back. But as far as I have understood authentication frames are always allowed by the access point. (That is the AP doesn't send the deauthentication frame back to the station that sent the authentication frame.)

But still it's a mystery to me what the AP is doing when receiving the authentication frame from the station that is in a state three (or in other words, from the station that has already authenticated and associated) and how security problems that I described earlier has been solved in the 802.11 network.

Okay, I know that this is a quite specific problem. I could of course implement this myself but there is one problem...I don't have any laptop or an access point myself (believe it or not). Probably I should go to some of my friends who have proper devices.

I just thought that maybe someone here would have an answer to my unquestionably a little theoretical problem. Anyway, thanks for your ideas.

reply to Telegraph
said by Telegraph :

Probably I should go to some of my friends who have proper devices.

As an old instructor of mine used to say, "proof's in the pudding" (PITP protocol).