I am trying to understand when a client learns of the authentication capabilities of a WLAN.
If I look at a beacon using WPA2 PSK then it has RSN capabilities, however if I look at an open SSID beacon I see no detail of the auth mechanism required.
When I did a packet capture the first auth packet on an open SSID was from a client with "open auth". How did it learn that this SSID is open?
I might be missing something basic here.
The authentication frameworks and key-exchanges are covered in-depth in Chapter 4, 5 and 8 of the CWSP-205 training
including the details of the AKM and frames, as frames are dynamic with (RSN) IE. We both provide instructor led training
(www.globeron.com/cwnp/training) as well as online training (www.globeron.com/onlinetraining) including many additional information.
You sorta answered your own question about the "open network". Let me explain I hope this helps.
Your radio is doing passive scanning, by this I mean its listening for beacons. It will bring the beacon in and read it to see what the network capabilities are. As you point out if you use PSK or 802.1X you will see RSN. If the network is not configured for security, guess what .. There is no RSN :) . So the client reading the beacon says Hey --- No security ...
I did a blog post on Aruba Airheads discussing RSN which might help as well