Preauthentication and the Common Misunderstanding

Preauthentication and the Common Misunderstanding

By CWNP On 10/22/2010 - 6 Comments

Preauthentication is a seemingly duplicitous SOB of a protocol. Since I’ve had this same conversation at least 3 times in the last few weeks, it seemed a good time to extract the truth. You ready? Get your SCUBA (did you know that SCUBA is an acronym?) gear cause we’re going deep.

As we learn in CWTS and CWNA, modern Wi-Fi “connections” go through a process that includes 802.11 open system authentication, 802.11 association, and then onto bigger and better things (assuming some security is employed). The first two steps here (open authentication and association) comprise something called the 802.11 state machine. That is, you can either be:

1. Neither authenticated nor associated 2. Authenticated but not associated 3. Authenticated and associated
Authentication is a bit like the polygamy of Wi-Fi connectivity. Stations can authenticate with as many APs as they’d like, in theory. Association is more like monogamy, where the station must pick one AP and only one AP. Stations must be authenticated before being associated. So, a station could be authenticated (again, open system) to many APs while being associated with only one AP. Performing open authentication with many APs prior to roaming will make the reassociation process slightly more efficient, though this benefit is negligible. This is often thought of (wrongly) as preauthentication, but preauthentication is much larger than this.

In networks supporting 802.1X, when a client decides to roam to a new AP, it has to perform the full 802.1X authentication with the new AP, which can take a long time, creating application performance problems. Blah Blah Blah. By now, I think we all know the fast secure roaming problem. Anyway, preauthentication is the process of performing the 802.1X authentication (and possibly the open system authentication) with an AP prior to a roam. This is done with the future AP, through the current AP, over the wire. In the 802.1X world, this creates a PMK between the client and the future AP. The client can reference this PMK when it does decide to reassociate to the future AP, bypassing the time consuming process of 802.1X authentication, thus making the roam more efficient.

In the initial introduction of preauthentication ( in the 802.11 spec, it sounds like preauthentication is defined for pre- open system authentication. That’s because the IEEE uses some vague terminology to describe preauthentication and they do so right after telling you that stations can perform open system authentication with many other STAs at the same time. You can see this confusing vagueness by reading and then of 802.11-2007. Now you may be saying to yourself, that’s a pretty accusatory thing to say, Marcus. And, you’d be right, if I didn’t have this in my back pocket.

802.11-2007, states:
“A STA shall not use preauthentication except when pairwise keys [meaning WPA or WPA2 security] are employed. Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.

When preauthentication is used, then a) Authentication is independent of roaming. b) The STA’s Supplicant may authenticate with multiple APs at a time.”

So, the IEEE is tying preauthentication to both an RSN (as shown in this quote) and 802.1X (which they do after the quote above). I know my selective quotation here can make things a bit confusing, but you can be sure that as they talk about preauthentication in Clause 8, the 802.11 writers are unmistakably saying preauthentication is a way of doing 802.1X before an actual roam; this has nothing at all to do with the open system authentication state.

Now, given this information, I suspect that no client or AP vendor in the market today will prevent a client from open system authenticating with many APs at the same time (which the quote above seems to forbid) because it just doesn’t hurt anything. But my question would be: what is the benefit? Open system authentication is not the cause of slow roams, 802.1X is.

Anyway, the whole point is not so much about rules and what you can and cannot do. It’s about terminology. Preauthentication is for 802.1X. Open system authenticating to multiple APs just for giggles is not preauthentication, in the formal sense of the term. 802.1X authenticating with future APs is preauthentication.

Tagged with: 802.1X, IEEE, 802.11, preauthentication, open system authentication, association, roaming

6 Responses to Preauthentication and the Common Misunderstanding

Subscribe by Email
sidd yadav Says:
02/20/2018 at 02:42am
To the lot a comment for the best post to total game online free psn codes generator.

10/29/2010 at 11:47am
I took the liberty of validating my previous comment by snagging a few screenshots of decoded WPA and RSN IEs. See the links below, which show the WPA and RSN IEs in their entirety. The first shows a WPA IE in a beacon, which you can compare with the third, showing an RSN IE in a probe response. Then compare the second and fourth images, showing a WPA IE in an association request (note the lack of PMKID Count) and an RSN IE in an association request (note the presence of the PMKID Count, though it is set to 0, so does not contain the PMKID List field).

Notice that the OUI is changed from 00:0F:AC to 00:50:F2 (IEEE to Wi-Fi alliance), but the coding of ciphers and authentication types remain the same. There is no preauthentication bit to set in WPA IEs and there is no PMKID count or list fields in (re)association frames.

10/29/2010 at 09:40am
Thanks Zach for the follow-up. It's probably not necessary to chime in on top of that, but he's exactly right. The preauthentication bit is always set to 0 in WPA. Also, the PMKID count and list fields are not used either. So, inasmuch as devices follow the WPA implementation doc (using the WPA IE instead of RSNIE), other FSR like PMK caching and OKC would not be supported either.
To Andy's question, the primary difference is that with preauthentication, the client must do the full 802.1X with each future AP prior to roaming. This is a fair amount of additional overhead. In OKC (OPMK Caching) and CCKM, the current AP (or WLC) passes the keying material to other APs (or the WDS) and the client and future APs use that same source keying material without performing a full 802.1X authentication. Make sense? Good question.

Andrew Pennington Says:
10/27/2010 at 16:26pm
How does preathentication differ from OPMK Caching and CCKM?

Zahari Georgiev Says:
10/26/2010 at 14:54pm
I hope you don’t mind me answering Andrew’s question for you.
You are correct, WPA does not support pre-authentication. WPA beacons don’t have RSN field (like you mentioned) and therefore cannot advertise pre-authentication capability.

10/22/2010 at 17:05pm
Hi Marcus,
Great write-up. I've never thought there was mis-understanding out there around this feature, but I guess there obviously is.
Also, wouldn't pre-authentication only be valid for an 802.11i (WPA2) RSN network since the 802.11-2007 standard specifically states the pre-authentication capability is advertised in the RSN IE? This would mean that Wi-Fi Alliance pre-standard WPA would not be able to use this feature since it uses the WPA IE, not the RSN IE.

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More