Preauthentication allows a station to perform RSN authentication with an Access Point it is currently not associated to while associated to a different Access Point. This allows the station to move to a different Access point faster when the station has to roam and prevents the Data port being blocked on account of authentication during roam.
Preauthentication allows a station to authenticate to multiple Access Point simultaneously and keep the keys ready. The following cases need to be noted:
- Preauthentication is used only when Pairwise keys are present.
- Preauthentication will not be used within the same Mobility Domain in the case when the Authentication Key Management (AKM) suite type is
- 00-0F-AC:3 –> Fast Transition (FT) authentication negotiated over 802.1X
- 00-0F-AC:4 –> Fast Transition (FT) authentication using PSK
- Preauthentication will not be used if the Preauthentication bit is not set in the RSN Capabilities field in the RSNE sent by the Access Point
Preauthentication bit
- Set to 1 by AP –> Preauthentication supported by AP
- Set to 0 by AP –>Preauthentication is not supported by AP
- An 802.11 Station always setS the preauthentication bit to 0.
The Preauthentication mechanism is shown pictorially below
The Ether packet type used in preauthentication is EtherType 0x88C7 rather than the EtherType 0x888E normally used for EAP frames. A station that desires to perform preauthentication with an AP has to send frames via the Access point it is currently connected to. This is because an 802.11 station can only be connected to one access point at a time. Preauthentication follows the below steps
- A Supplicant can initiate Preauthentication when it has completed its 4-way handshake and has a set of temporal keys installed
- The 802.11 station desirous of performing preauthentication will send an EAP-Start frame to the target AP by placing the Destination Address (DA) equivalent to the Target AP and the Receiver Address (RA) to the AP it is currently associated
- On receipt of a preauthentication EAP-Start frame – the AP1 (currently associated AP) will forward the frame to the target AP (AP2 in the image). The use of a different EtherType 0x88C7 prevents the AP1 from performing any processing on the EAP-Start packet. It treats the EAP-Start packet as an unknown EtherType that requires distribution to the DS.
- The Target AP might initiate 802.1X authentication via the Distribution system à AP1 à11 Station
- After a successful negotiation and completion of the 802.1X process, a Pairwise Master Key Association (PMKSA) is generated. The AKM suite that will be set will be 00-0F-AC:1 in the PMKSA
- When the station decides to roam to AP2, it can do so by following the 4-way handshake and skip the EAP handshake as a PMKSA already exists