Wireless gurus - how does layer1/2 work?

[spidey07]

Can anybody explain how probe requests/response and beacons work?

How does it affect association?

From what I've seen (sniffer) the client sends out a probe request/layer2 bcast saying "what's the SSID?" APs then answer. Then more requests and more responses. Looking at these requests/responses there is a ton of information in the resonses like data rates, basic rates, capabilities and a whole lot else.

Will the ap/client not associate if there is a disagreement between client and ap capabilities? There are many different models/versions of access points and you can see that the probe responses are very different between them.

 

[m1ldslide1]

I'm having trouble thinking of anything that would keep the client from associating. I think that all the AP or client should care about is SSID, encryption method, and authentication type.

Maybe this is a bad analogy, but if CDP is enabled on a L2 port it won't affect the client connecting at all - those frames are only for other Cisco devices and any host or alternate vendor switch that is connected will simply disregard. I just thought of CDP because it also contains a whole lot of information about the transmitting device.

I'd be curious what the 'capabilities' are. Again, for the switchport, its a list of supported featuresets, and a connecting device may not be able to support them but will still negotiate the link and pass traffic.

 

[spidey07]

Looking at the actuall "probe request" and "probe response" packets is where you see the differences between different access points and different software versions.

There's isn't any negotiation/handshaking that occurs from what I can gather. client just says "this is what I can do, what can AP do?" I'm having trouble wrapping my arms around what is acceptable and what is not.

All APs respond to the query (probe request) with their settings such as long/short pre-amble, slot time, DTIM time, data rates and a whole slew of other information in the form of information elements. From there the client decides that it will not attempt to associate.

I've compared these information elements and the capabilities section of the 802.11 frame and there are marked differences. Mainly in the capabilities section and the types/content of the information elements. This is all 802.11 management frames and not actual data.

 

[nweaver]

spidey, you need me to look at some sniffs? I'm not the L2 guy for wireless, but he sits in the next cubicle over...

 

[spidey07]

If you don't mind. The differences are blatently obvious, I just don't understand.

Client sends out only SSID and data rates. Successfull association is to an AP that only sends SSID and data rates.

Modern APs respond with much more information elements than just SSID and data rate. But you're right, this is all done at layer2. There's ERP, CCX, aironet extensions in there that I don't know about. Even though I've disabled aironet extensions.

The most concerning are the ERP elements as they seem to contain layer1 information.

 

[nweaver]

ygpm

 

[spidey07]

Oh, lots of the mangament frames dictated what modes of encyprtion and what the access point allows.

This particular problem was cause by a client using pre-shared authentication for WEP instead of open. So client and AP didn't agree on what kind of authentication to use.

 

[cmetz]

spidey07, my understanding is that the probe request says "what APs with the following criteria are out there" - SSID can be filled in or can be a wildcard. In response to this the AP sends out a probe reply, which contains among other things its MAC address, SSIDs, capabilities, and rates. APs also beacon periodically with the same information. I believe there is supposed to be a rate limit on the probe reply packets. I believe that the association request also clues in the AP as to what was accepted by the client, and the association reply is a final ACK. So there's actually two round trips, I believe. The client can also just sit around and listen for a beacon and start at step two.

I admit to not having read 802.11 et al., but it probably does define how the client decides whether the AP is one it can associate with. IEEE specs are usually quite thorough, even though the information contained in them might not be easily approachable.

802.11 is a protocol with too many knobs. That's the real problem.