Preauthentication and the Common Misunderstanding

Preauthentication and the Common Misunderstanding

By CWNP On 10/22/2010 - 10 Comments

Preauthentication is a seemingly duplicitous SOB of a protocol. Since I’ve had this same conversation at least 3 times in the last few weeks, it seemed a good time to extract the truth. You ready? Get your SCUBA (did you know that SCUBA is an acronym?) gear cause we’re going deep.

As we learn in CWTS and CWNA, modern Wi-Fi “connections” go through a process that includes 802.11 open system authentication, 802.11 association, and then onto bigger and better things (assuming some security is employed). The first two steps here (open authentication and association) comprise something called the 802.11 state machine. That is, you can either be:

1. Neither authenticated nor associated 2. Authenticated but not associated 3. Authenticated and associated
Authentication is a bit like the polygamy of Wi-Fi connectivity. Stations can authenticate with as many APs as they’d like, in theory. Association is more like monogamy, where the station must pick one AP and only one AP. Stations must be authenticated before being associated. So, a station could be authenticated (again, open system) to many APs while being associated with only one AP. Performing open authentication with many APs prior to roaming will make the reassociation process slightly more efficient, though this benefit is negligible. This is often thought of (wrongly) as preauthentication, but preauthentication is much larger than this.

In networks supporting 802.1X, when a client decides to roam to a new AP, it has to perform the full 802.1X authentication with the new AP, which can take a long time, creating application performance problems. Blah Blah Blah. By now, I think we all know the fast secure roaming problem. Anyway, preauthentication is the process of performing the 802.1X authentication (and possibly the open system authentication) with an AP prior to a roam. This is done with the future AP, through the current AP, over the wire. In the 802.1X world, this creates a PMK between the client and the future AP. The client can reference this PMK when it does decide to reassociate to the future AP, bypassing the time consuming process of 802.1X authentication, thus making the roam more efficient.

In the initial introduction of preauthentication ( in the 802.11 spec, it sounds like preauthentication is defined for pre- open system authentication. That’s because the IEEE uses some vague terminology to describe preauthentication and they do so right after telling you that stations can perform open system authentication with many other STAs at the same time. You can see this confusing vagueness by reading and then of 802.11-2007. Now you may be saying to yourself, that’s a pretty accusatory thing to say, Marcus. And, you’d be right, if I didn’t have this in my back pocket.

802.11-2007, states:
“A STA shall not use preauthentication except when pairwise keys [meaning WPA or WPA2 security] are employed. Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.

When preauthentication is used, then a) Authentication is independent of roaming. b) The STA’s Supplicant may authenticate with multiple APs at a time.”

So, the IEEE is tying preauthentication to both an RSN (as shown in this quote) and 802.1X (which they do after the quote above). I know my selective quotation here can make things a bit confusing, but you can be sure that as they talk about preauthentication in Clause 8, the 802.11 writers are unmistakably saying preauthentication is a way of doing 802.1X before an actual roam; this has nothing at all to do with the open system authentication state.

Now, given this information, I suspect that no client or AP vendor in the market today will prevent a client from open system authenticating with many APs at the same time (which the quote above seems to forbid) because it just doesn’t hurt anything. But my question would be: what is the benefit? Open system authentication is not the cause of slow roams, 802.1X is.

Anyway, the whole point is not so much about rules and what you can and cannot do. It’s about terminology. Preauthentication is for 802.1X. Open system authenticating to multiple APs just for giggles is not preauthentication, in the formal sense of the term. 802.1X authenticating with future APs is preauthentication.

Tagged with: 802.1X, IEEE, 802.11, preauthentication, open system authentication, association, roaming

10 Responses to Preauthentication and the Common Misunderstanding

Subscribe by Email
Jack William Says:
05/04/2018 at 10:24am
Video quality depends on your devices and how you edit it these things matter a lot.The one of the best way to produce the better quality in no time. I think you should try this.

Kevinogi jhome Says:
04/18/2018 at 05:47am
Manfred said he didn't know that the Marlins' new owners planned to tear it washington nationals jersers down
In the early moments of atlanta braves jersers the interview, Le Batard asked Manfred whether he knew prior to the recent sale to the group oakland athletics jersers fronted by Bruce Sherman and Jeter whether the new owners planned to slash payroll. After some prodding (and Le Batard's saying that the commissioner was lying), Manfred answered, "We do not get involved in operating-level decisions in the ownership approval process."

"We did not have player-specific plans from the Miami Marlins or any other team that has been in the ownership miami marlins jersers process. Those are decisions that the individual owners make, and they do not have to be cleared by us or approved by us. ... Those are local decisions that really are not part of the approval process. Those are decisions that the individual owners make, and they do not have to be cleared with us or approved by us."

Manfred went on to say that he didn't receive a payroll plan from the Marlins until two days prior to his interview with Le Batard. More: "We don't get into, are you going to trade 'Player X' or 'Player Y' at a particular point in time, nor do we ask them to make a commitment to people before they even got in and made an evaluation of their talent level, their ability to win with the people that st. louis cardinals jersers they have. That's just not how the ownership process works."
wholesale baseball jersers

But some of that may not be true
Here's a key excerpt from a los angeles angels of anaheim jersers must-read Barry Jackson piece in the Miami Herald:

A source directly involved in the Marlins sales chicago white sox jersers process, after hearing the Le Batard cincinnati reds jersers interview, said, via text: "Commissioner said was not aware of [Jeter] plan to slash payroll. Absolutely not true. They request and receive the operating plan from all bidders.

"Project Wolverine [the name for Jeter's plan] called chicago white sox jersers on his group to reduce payroll to $85 million. This was vetted and approved by MLB prior to approval by MLB. Every [Jeter] investor and non investor has the Wolverine financial plan of slashing payroll to $85 million. Widely circulated."

First off, "Project Wolverine" is ludicrously self-important and sinister-sounding, as budget strategies go. That's the name of a secret NSA laboratory deep under the Caballo Mountains in New Mexico, not a financial schematic. Do better, Jeets. Anyhow, there's enough careful phrasing in Manfred's comments ("operating-level decisions," "'Player X' or 'Player Y'") to give him some plausible deniability. However, the idea that he didn't know about plans to engage in yet another demo job by Marlins owners strains credulity.

wiatmppgryar wiatmppgryar Says:
04/18/2018 at 03:41am
Computer chip Williams gives you profiting residential jog

Philadelphia Eagles Jerseys PHILADELPHIA -- Typically the desktop computer reveals can be described as notorious first-pitch swinger. So it is of no great surprise who Reds reliever threw your man some first-pitch breakage sphere in your 9th inning Sunday occasion by Seniors Commercial lender Meadow. Torrey Brenard Jerseys Quackenbush dreamed of Williams towards aquire, only this period Williams don't. Tommy McDonald Jerseys The guy preferably instead functioned their self towards a 3-1 count up, previously the guy killed some fastball towards right-center-field on a pinch-hit single residential jog in any 6-5 success.

Philadelphia Eagles It's the pioneer pinch-hit homer from Williams' livelihood. Phillies short purchased your partner's to begin with protect of this summer accompanied by a scoreless ninth. Timmy Jernigan Jerseys Reds catcher arrive at your partner's to begin with residential jog of this summer in your thirdly inning, tying the game play by 3. The guy was basically right behind typically the sheet for ones to begin with start of the summer for the purpose of southpaw, what individuals made way for personal training can run (two to three garnered) through your partner's two to three innings from give good results.   Typically the Reds bullpen functioned 3 scoreless innings previously Quackenbush yielded the domestic go to Williams. Terrence Brooks Jerseys EXPERIENCES WHO MATTEREDHoskins, Kingery mixture Reed: Phillies departed fielder arrive at some two-out, two-run residential go to departed particular field in your to begin with inning vs Reed handy typically the Phillies some 2-1 live. Stephen Tulloch Jerseys Newbie adhered to accompanied by a single residential go to departed in your further, your partner's to begin with Leading League residential jog, to help with making it again 3-1.

NFL Jerseys Kingery arrive at some 1-0 fastball a little bit of as few as 15 size (1. twenty-two ft .) there are various earth. Certainly no Phillies professional found arrive at some sphere decreased there are various earth as arrive at a particular as few as 9 size (0. 73 ft .) out of your airborne dirt and dust keep going September. Ervin rating, Hamilton will never: launched typically the sixth inning accompanied by a singular towards departed particular field. Then borrowed further to include their self through credit scoring standing. Stefen Wisniewski Jerseys Phillies catcher genuinely threw some explode towards further starting point -- clocked typically the put together by 86. 0 mph -- and yet Kingery obtained typically the pouch latter not to mention found certainly no probability to level your man. Sidney Jones Jerseys It again established pricy for the reason that Ervin afterward scored even on a two-out chopper apart Phillies pitcher 's hands and wrists towards associate the game play, 5-5. Alfaro really enjoyed numerous redemption latter in your inning when ever Hamilton sampled towards status because of further even on a old review. Stefen Wisniewski Jerseys Alfaro slid towards restore typically the sphere right behind typically the sheet not to mention threw some emerge towards, what individuals stored against typically the sphere for the reason that Hamilton collided with the help of your man for ones thirdly through.

crothermbeme crothermbeme Says:
04/18/2018 at 02:39am
OnCheap Soccer Jerseys Wholesale Friday, Big Deutz - Bryant parted ways with the Dallas Cowboys. Even though Dez continued to reduce Global Jerseys Wholesale production as he ages in the past few years, the eight-year veteran who cut down on the "American team" still let fans debate and enter the free market, and people are guessing that Deze's next stop. Where will it be.New Products
Deez BryantWorld Cup 2018 is very dissatisfied with the practice of the Cowboys. He has been well-trained in the off-season and is only able to play better for the next season.Bundesliga Jerseys Originally they could cut off Detz earlier, but they did not, which made Deez passive in the free market. On Tuesday, Deze told reporters that he wouldShop All Products be happy to stay in the East area of ??the League of Nations. In this case, he would have the opportunity to play against the cowboy twice a Other Teamsyear. He hopes that his old club will achieve revenge. Deez also said that the New York Giants attracted him, especially their offensive team. "The Giants'Premier League offseason lineup is relatively intact and I think they will give OBJ a suitable offer, so Beckham will definitely stay here.
In addition to hisLa Liga offense, there are also Sterling Shepard, near-fielder Irwin Ingram, and Eli Manning. Heaven! This is crazy! "These were followed by Deez and added:" If they takeLigue 1 away Sarkwan Barkley of Penn State in the draft, the offensive team is just as beautiful. "The ideal is full, but the reality is very skinny. If the Giants use BucketNFL Jerseys 2 to pick Buckley, their offensive team would be enough even if they didn't have Deez. The reason for signing him may be that the team needs red zone offensive NHL Jerseysweapons." This is why Deez didn't mention Brandon Marshall when he talked about the Giants offensive team. Last season, Marshall only played for the Giants in fiveNBA Jerseys games and then went on a free-fighting game. If the Giants really signed Dees, then Marshall had a lot. It may become a victim.
In addition to the Giants, Dez NCAA JerseysBryant has a decent interest in several teams, including Jacksonville Jaguars, Oakland Raiders and 49 San Francisco players. So what are the teams he does not Nike NFLwant to go? Green Bay Packers, Deez thinks the team "had too many stories with him." "Green Bay may not be able to deal with me." Deitz pointed out that in the 2015Nike NFL Jerseys postseason, the Cowboys and packers met in a narrow way. In the crucial moment of the fourth quarter, Deez Bryant made a new first pass by passing TonyAuthentic Jerseys Romo in the fourth gear to advance the ball to the yard 1 yard ahead of the packer.
At this time, Packer coach MikeWomen Jerseys McCarthy put forward a challenge. After the referee watched the video, he decided that the receiving ball was invalid, which made Deez very dissatisfied. If theYouth Jerseys ball is placed in the 2018 season, the penalty is definitely another result. Excluding Aaron Rogers's factors, Dez didn't like packers. For Dez Bryant, he does Shop By National Team not want to see the current situation, because he can get at least 12.5 million US dollars to stay in the cowboy, and into the free market will greatly reduce their own value. In recent years, Dez's data is not very beautiful. Coupled with age, the peak period has passed. It may be difficult for Deze's wish list to take place.

sidd yadav Says:
02/20/2018 at 02:42am
To the lot a comment for the best post to total game online free psn codes generator.

10/29/2010 at 11:47am
I took the liberty of validating my previous comment by snagging a few screenshots of decoded WPA and RSN IEs. See the links below, which show the WPA and RSN IEs in their entirety. The first shows a WPA IE in a beacon, which you can compare with the third, showing an RSN IE in a probe response. Then compare the second and fourth images, showing a WPA IE in an association request (note the lack of PMKID Count) and an RSN IE in an association request (note the presence of the PMKID Count, though it is set to 0, so does not contain the PMKID List field).

Notice that the OUI is changed from 00:0F:AC to 00:50:F2 (IEEE to Wi-Fi alliance), but the coding of ciphers and authentication types remain the same. There is no preauthentication bit to set in WPA IEs and there is no PMKID count or list fields in (re)association frames.

10/29/2010 at 09:40am
Thanks Zach for the follow-up. It's probably not necessary to chime in on top of that, but he's exactly right. The preauthentication bit is always set to 0 in WPA. Also, the PMKID count and list fields are not used either. So, inasmuch as devices follow the WPA implementation doc (using the WPA IE instead of RSNIE), other FSR like PMK caching and OKC would not be supported either.
To Andy's question, the primary difference is that with preauthentication, the client must do the full 802.1X with each future AP prior to roaming. This is a fair amount of additional overhead. In OKC (OPMK Caching) and CCKM, the current AP (or WLC) passes the keying material to other APs (or the WDS) and the client and future APs use that same source keying material without performing a full 802.1X authentication. Make sense? Good question.

Andrew Pennington Says:
10/27/2010 at 16:26pm
How does preathentication differ from OPMK Caching and CCKM?

Zahari Georgiev Says:
10/26/2010 at 14:54pm
I hope you don’t mind me answering Andrew’s question for you.
You are correct, WPA does not support pre-authentication. WPA beacons don’t have RSN field (like you mentioned) and therefore cannot advertise pre-authentication capability.

10/22/2010 at 17:05pm
Hi Marcus,
Great write-up. I've never thought there was mis-understanding out there around this feature, but I guess there obviously is.
Also, wouldn't pre-authentication only be valid for an 802.11i (WPA2) RSN network since the 802.11-2007 standard specifically states the pre-authentication capability is advertised in the RSN IE? This would mean that Wi-Fi Alliance pre-standard WPA would not be able to use this feature since it uses the WPA IE, not the RSN IE.

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More