Preauthentication and the Common MisunderstandingBy CWNP On 10/22/2010 - 10 Comments
Preauthentication is a seemingly duplicitous SOB of a protocol. Since I’ve had this same conversation at least 3 times in the last few weeks, it seemed a good time to extract the truth. You ready? Get your SCUBA (did you know that SCUBA is an acronym?) gear cause we’re going deep.
As we learn in CWTS and CWNA, modern Wi-Fi “connections” go through a process that includes 802.11 open system authentication, 802.11 association, and then onto bigger and better things (assuming some security is employed). The first two steps here (open authentication and association) comprise something called the 802.11 state machine. That is, you can either be:
1. Neither authenticated nor associated 2. Authenticated but not associated 3. Authenticated and associated
Authentication is a bit like the polygamy of Wi-Fi connectivity. Stations can authenticate with as many APs as they’d like, in theory. Association is more like monogamy, where the station must pick one AP and only one AP. Stations must be authenticated before being associated. So, a station could be authenticated (again, open system) to many APs while being associated with only one AP. Performing open authentication with many APs prior to roaming will make the reassociation process slightly more efficient, though this benefit is negligible. This is often thought of (wrongly) as preauthentication, but preauthentication is much larger than this.
In networks supporting 802.1X, when a client decides to roam to a new AP, it has to perform the full 802.1X authentication with the new AP, which can take a long time, creating application performance problems. Blah Blah Blah. By now, I think we all know the fast secure roaming problem. Anyway, preauthentication is the process of performing the 802.1X authentication (and possibly the open system authentication) with an AP prior to a roam. This is done with the future AP, through the current AP, over the wire. In the 802.1X world, this creates a PMK between the client and the future AP. The client can reference this PMK when it does decide to reassociate to the future AP, bypassing the time consuming process of 802.1X authentication, thus making the roam more efficient.
In the initial introduction of preauthentication (18.104.22.168.1) in the 802.11 spec, it sounds like preauthentication is defined for pre- open system authentication. That’s because the IEEE uses some vague terminology to describe preauthentication and they do so right after telling you that stations can perform open system authentication with many other STAs at the same time. You can see this confusing vagueness by reading 22.214.171.124 and then 126.96.36.199.1 of 802.11-2007. Now you may be saying to yourself, that’s a pretty accusatory thing to say, Marcus. And, you’d be right, if I didn’t have this in my back pocket.
802.11-2007, 188.8.131.52 states:
“A STA shall not use preauthentication except when pairwise keys [meaning WPA or WPA2 security] are employed. Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.
When preauthentication is used, then a) Authentication is independent of roaming. b) The STA’s Supplicant may authenticate with multiple APs at a time.”
So, the IEEE is tying preauthentication to both an RSN (as shown in this quote) and 802.1X (which they do after the quote above). I know my selective quotation here can make things a bit confusing, but you can be sure that as they talk about preauthentication in Clause 8, the 802.11 writers are unmistakably saying preauthentication is a way of doing 802.1X before an actual roam; this has nothing at all to do with the open system authentication state.
Now, given this information, I suspect that no client or AP vendor in the market today will prevent a client from open system authenticating with many APs at the same time (which the quote above seems to forbid) because it just doesn’t hurt anything. But my question would be: what is the benefit? Open system authentication is not the cause of slow roams, 802.1X is.
Anyway, the whole point is not so much about rules and what you can and cannot do. It’s about terminology. Preauthentication is for 802.1X. Open system authenticating to multiple APs just for giggles is not preauthentication, in the formal sense of the term. 802.1X authenticating with future APs is preauthentication.Tagged with: 802.1X, IEEE, 802.11, preauthentication, open system authentication, association, roaming