In this episode, we’re going to cover a small topic of the CWAP certification. We’re taking a look at the frame exchanges that occur during 802.11r or Fast BSS Transition.
In our scenario we’ll use my iPhone which associates to AP1 and roams to AP2.
Without 802.11r, the roam will take additional time to complete. 802.11r enables that roam to complete in less time.
There are two methods Fast Transition will use when a device is moving from its current AP to another AP:
- Over-the-Air (OTA)
- Over-the-DS (OTDS) (distribution system)
In OTA, a device roaming to another AP will communicate with that target AP directly during the roaming process.
In OTDS, the device roaming to another AP will initiate the process with Action frames sent through its current AP destined to the target AP. Then the roaming process is finalized with direct communication with the target AP.
Over-the-Air
Let’s take a look at the messages being used by a device to its target AP. There are four frame exchanges to look at:
- Message 1 – Authentication Request from the device (originator) to the target AP
- Message 2 – Authentication Response from the target AP destined to the originator
- Message 3 – Reassociation Request frame from the device to the target AP
- Message 4 – Reassociation Response frame from the target AP to the originator
Let’s take a look at the full frame exchange process
Within the Beacon, Probe Response, Authentication, and Reassociation frames you will find the Mobility Domain information element. Access points part of the same ESS will contain the same Mobility Domain Identifier. There will also be a Fast BSS Transition over DS element which will indicate whether this frame is OTA or OTDS.
Over-the-DS
Let’s take a look at the messages being used by a device to its target AP. There are four frame exchanges to take note of:
- Message 1 – Fast Transition Request Action frame originating from the device (originator) to the current AP with the target AP’s BSSID in the Address field of the frame
- Message 2 – Target AP sends a Fast Transition Response frame to the originator
- Message 3 – Originator sends a Reassociation frame destined to target AP
- Message 4 – Reassociation Response frame from the target AP to the originator
Let’s take a look at the full frame exchange process
Wireshark filter to find Over-the-Air or Over-the-DS Fast BSS Transition frames and which mode they are in:
wlan.mobility_domain.ft_capab.ft_over_ds
What is the solution if Mobility domain identifier is deafferent on APs?