WPA2 Pre-Authentication

  • Article

Miniport drivers that support WPA2 must support pre-authentication. Drivers advertise this support in response to a query of OID_802_11_CAPABILITY. The driver must return, in the NoOfPMKIDsmember of the NDIS_802_11_CAPABILITY structure, the number of PMKIDs that it can support. The NoOfPMKIDsvalue must be within the range from 3 through 16.

WPA2 pre-authentication is managed through lists exchanged between the miniport driver and the 802.1X supplicant:

  • Roaming candidate list
    The driver manages this list from the BSSIDs belonging to the associated SSID that it finds in its cached BSSID scan list. The driver indicates this list to the supplicant through media-specific PMKID candidate list indications.

    When making PMKID candidate list indications, the driver indicates its roaming candidates through the NDIS_802_11_PMKID_CANDIDATE_LIST structure.

  • Pairwise master key (PMK) cache
    The supplicant manages this list from the BSSIDs in the associated SSID with which it has pre-authenticated. The supplicant sets the PMK cache on the driver through OID_802_11_PMKID. The 802.11 device uses the PMKID cache whenever it associates or reassociates with a BSSID within the desired SSID.

    The 802.11 device uses the PMK cache only for roaming between access points within the BSS. The PMK cache is not used for the device's initial association to any access point within the desired SSID.

Pre-authentication is only used under the following conditions:

  • The driver's network mode is set to Ndis802_11Infrastructure.

  • The driver's authentication mode is set to Ndis802_11AuthModeWPA2.

  • The driver is currently associated to an access point and authenticated through WPA2.

Pre-authentication occurs after the first association with an access point following the setting of OID_802_11_SSID. The pre-authentication procedure is the following:

  1. After the 802.1X supplicant completes the WPA2 authentication, it transfers the pairwise and group keys to the driver through one or more OID_802_11_ADD_KEY set operations.

  2. After the keys are transferred, the driver prepares its initial roaming candidate list. The elements of this list are based on the BSSIDs from the desired SSID in the driver's cached BSSID scan list. The driver sorts the roaming candidate list based on its own priority ranking. For example, the driver can sort the list based on RSSI.

  3. The driver makes its initial PMKID candidate list indication by using the entries from its current roaming candidate list.

    Note   The driver must not make any PMKID candidate list indications until it is associated, and pairwise and group keys have been transferred through OID_802_11_ADD_KEY set operations. After the keys have been transferred, the supplicant has completed the WPA2 authentication and is ready to accept PMKID candidate list indications.

     

  4. The supplicant replaces its PMKID candidate list with the driver's roaming candidate list.

  5. The supplicant takes the intersection of its PMKID candidate list and the master PMK table and sends the results to the driver through a setting of OID_802_11_PMKID. If no entries from the PMKID candidate list match any entries in the master PMK table, then the supplicant does not issue an OID_802_11_PMKID set command to the driver.

  6. After setting OID_802_11_PMKID, the supplicant initiates pre-authentication for each entry in its PMKID candidate list that does not match an entry in the master PMK table. The supplicant does this based on the priority order of the PMKID candidates as indicated by the driver through its PMKID candidate list indication.

  7. When the supplicant obtains, through pre-authentication, a new entry in the master PMK table that matches a PMKID candidate in the supplicant's PMKID candidate list, the supplicant indicates the PMKID candidate to the driver by setting OID_802_11_PMKID.

The following figure illustrates the data flow for WPA2 pre-authentication.

While the device is associated with an AP that is in the desired SSID, the driver can make additional PMKID candidate list indicationsFor example, the driver might make a status indication if it finds additional BSSIDs that it has not previously indicated.

When making the PMKID candidate list indication, the driver must always include the list of BSSIDs that are the best roaming candidates. Based on its priority ranking, the driver can include the best candidates from the roaming candidate list in addition to entries from the PMK cache.

It is recommended that the driver keep the frequency of these indications to a minimum. For example, the driver must not make a PMKID candidate list indication if only one new entry was added to its roaming candidate list. Instead, it must make the indication after a high-water mark has been reached for new entries inserted into its roaming candidate list.

 

 

Send comments about this topic to Microsoft