Prior to the 802.1 X EAP and 4-way EAPOL handshakes – the 802.11 Station and the Access Point exchange information to associate to one another. At the end of a successful association – the 802.11 client is connected to the Access point but the Data channel is still blocked. The Data channel will be enabled after the successful completion of a 4-way EAPOL handshake and the exchange of the proper keys. The steps for association are outlined below
- The Access point indicates the support for the 802.11i mechanism (WPA/WPA2/RSN Information Element) in the beacon frame
- The 802.11 Station sends a probe request to the Access Point. This does not have any WPA/WPA2/RSN Information elements incorporated
- The Access Point responds with a probe response which incorporates the WPA/WPA2/RSN IEs
- The 802.11 authentication packet is sent as open authentication by the 802.11 Station and Access point responds with a success message for the 802.11 authentication frame
- The 802.11 Station in an association request now incorporates the 802.11i support via the WPA/WPA2/RSN Information element.
- The WPA/WPA2/RSN information elements indicate if the authentication is 802.1X or PSK
- The WEP bit in the capability field is set to 1 to indicate that station is an encrypted station and it requires encryption keys to function
- The Access Point responds to the Association request with an association response success
At the end of a successful association response – the data channel (or controlled port) is still blocked and data transfer is not permitted. Only after the 802.1X EAP/EAPOL handshake is completed successfully – the controlled port is enabled and the 802.11 station and Access Point can send data (Unicast/Multi-cast) packets to one another