Last Post: November 26, 2014:
I have a question about the 801.11 standard with regards to reason code 5 deauths [reason code 5 = Disassociated because AP is unable to handle all currently associated STAs].
If/when a STA receives a deauth with a reason code 5, does the 802.11 standard set forth rules for how the STA should/will react or is this vendor specific ?
In other words, will the STA try to associate to the next AP in it's known AP list from the last network scan it performed ? Or will the STA rescan the network ? If it rescans , won't it find the AP that just deauthenticated it and try to re-attach ? Or is there an IE in the management frame of the AP that tells the clients it's current load so the client will then try to associate to a different AP ?
This is controlled by the client device and the people who programmed it. And just because it uses the same chipset as another device it is no guarantee how a different one will react. Or even how the next product, from the same manufacturer, will react !
There are several situations similar to this, and from the client manufacturers side, the problem gets even more complicated - not all AP's follow the standards or act logically.
For example, if you were to try to associate to an AP that is already at max connections, it may or may not tell the client that that is the case. Some will just hang there, seemingly authenticated, and not respond to association requests. So what state is it in then ?
This is usually on SOHO AP's, not Enterprise. Take four AP's and you may get four different results. This is where having a wireless sniffer is critical. Trying to figure it out by only watching its L3 connectivity won't tell you much.
Although IEEE standards do not tackle some of these issues, the WFA certification tests address many, but not all, of them. These are, after all interoperability issues. Unfortunately their test methodologies are not publicly available, even if the certification standard is published (and is sold to non-members).
Thanks for the response Howard. As I thought, there is nothing in the 802.11 spec that determines how the client will react , it is vendor specific. These are Enterprise class clients ( Motorola Solutions mobile terminals running Windows CE ) and Enterprise class APs ( Cisco or Motorola ) .
Just curious. What exam study material covers reasons codes for the deauth? I am only 2 exams in so far, but I did not see reason codes mentioned for the CWNA or CWSP? Is this in the CWAP material? Where would this be found in a packet capture?
The deauthentication frame and its reason code is briefly mentioned on page 142 of the CWAP Study Guide; however, it is not addressed in-depth there. This is why I recommend anyone studying WLAN analysis have a copy of the 802.11 standard document. For the books to reproduce all of the material would be overkill given that the standard is available.
If you have the standard (802.11-2012), you can see on pages 442-445 the table giving possible reason codes and their meaning.
When doing a protocol capture, the reason code should be decoded for Deauthentication frames (which are management frames) and you will either just see a number or a number with an explanation. If you just see a number, refer to the above referenced pages in the 802.11-2012 standard. For example, reason code 3 is common and means that the station has left the BSS and was simply kind enough to send a notification first :-)