For most the process of connecting to a wireless network is taken for granted, you pick a network from your list and hit connect. But what is really happening in the background? One of the topics that I typically spend a good amount of time on when teaching CWNA courses is the 802.11 State Machine. So what is the 802.11 State Machine? It consists of the four states of client connectivity during a session.
In State 1 the client is Unauthenticated and Unassociated. During this state the client is not connected in any shape or form to the network. Think of this as the idle phase where the client is actively looking for a network to join from previous connections or passively listening to beacons from APs it can hear. The end result of being in State 1 means you are in a deauthenticated state. Clients in this state are passing Class 1 frames and contain the following frames:
- Control frames
- Management frames
- Data frames
- Data frames between STAs and IBSS
- Data frames between peers using DLS
Leaving State 1 involves performing a successful 802.11 Authentication.
In State 2 the client is Authenticated but Unassociated. What do we mean by authenticated? This does not mean that the client has performed an 802.1X or PSK authentication. We are talking about 802.11 Authentication here. This is either Open or Shared Key. Even when we associate to an open wireless network like at a hotel or stadium we still perform a 4 packet 802.11 Authentication process. During this state we can pass Class 1 frames as well as introduce the ability to pass Class 2 frames which are management frames. Because we are now in State 2 we have two ways of moving out of of this state. If the network issues a deauthentication frame the client will immediately drop to State 1 otherwise the client will move to State 3. A good way to think of State 2 is agreeing we can talk and understand each other, and I don’t mean from a PHY layer aspect. If you are like me, a native English speaker, and you travel abroad you may learn at a minimum how to ask if they speak English to go from State 1 to State 2. For example, I know how to ask if you speak English in Spanish: habla ingles? That way we can successfully determine if we can proceed to State 2 or not.
In State 3 the client is Authenticated and Associated. We have successfully associated to the Wireless network but are pending RSN Authentication if we are using 802.1X. At this point we now allow Class 1, 2, and 3 frames. Class 3 frames consist of the following:
- Data frames (all)
- Management frames
- Control frames
Up until State 3 we could have had multiple conversations going on with different STAs. Once we enter State 3 we are bound to an exclusive conversation with that STA. Once a client is in State 3 we have 3 different ways to leave the state: disassociation, deauthentication, and 802.1X port control unblocked. If the client disassociates they will drop to State 2, deauthentication will drop to State 1. Having a successful 802.1X authorization moves to State 4.
Finally, we have State 4. In this state we have successfully performed all the necessary steps to be connected to the wireless network. At this point we have left State 3 by authorizing with a AAA server for example, passed PSK authentication, or connected to an open network. As we mentioned before if the BSS does not require an RSNA the client STA will move from State 2 to State 4. This is also what happens during a Fast BSS Transition during a roaming event. As we are at the end state the only way to leave State 4 is to either disassociate and enter State 3 or deauthenticate dropping all the way back to State 1.
The 802.11 State Machine and the various packet handshakes that go along with it are key to understanding if you want to troubleshoot wireless networks. By understanding and being able to know which state a client STA is in you’ll be able to know where to start your troubleshooting process. To close out this post let’s put this all together in an easy to follow and read flow chart: