WLAN from getting started to mastering-Basic article "phase 8th--sta Access process
"WLAN from getting started to mastering-Basic article" phase 8th--sta Access Process
The last period and everyone to share the fit AP on the AC on-line process, in fact, whether the fat AP or on-line fit AP, the ultimate goal is to provide wireless network coverage environment for the wireless terminal STA access. So that we can in the daily life and work, in the wireless network coverage, through the convenient wireless way, via the AP connected to the network, for entertainment or office. This issue is about how the STA is connected to the AP in a wireless network environment
STA
Access Process。
Last time we said that the fit AP after a period of not easy process, the successful worship of AC master under the door, to obtain the teacher's recognition, after the acquisition of advanced internal strength, and then, with your brother, the teacher entrusted with the task. In the Yushu suave Caigaobadou educated player Master of the wise leadership of the teachers, the brothers together to establish a renowned gantry biaoju, master AC as the total dart Head, AP as Pinkerton for all kinds of customers bet darts. Longmen Biaoju in response to customer speed, the safety of the dart is well known. So there are rumors of "mining technology which strong, Shandong, China to find Lanxiang; After a period of time to fight, Longmen Biaoju now has a reputation outside, can go to this step, biaoju handling the standard procedures of the DART business plays an important role. Then we will see to find the Longmen Biaoju Dart, the specific need to do it.
Customer STA Find Biaoju Dart, the specific process has three: one, to find a satisfactory Pinkerton AP (
Scan: For the STA Discovery Wireless network); second, to Pinkerton to show his own dart qualification (
Link Authentication: The authentication process of the wireless link between STA and AP, which means that the STA is qualified to establish the wireless link with the AP. Third, signed the DART Agreement (
Associate: After determining that the STA is eligible to establish a wireless link with the AP, the STA also needs to negotiate the service parameters of the wireless link with the AP to complete the Wireless Link establishment. This article takes STA to find the process of Biaoju Dart to refer to
STA access process,The dart refers to data transmission. Here we say the STA access process, including three stages:
Scan、
Link AuthenticationAnd
Associate。 After completing these three stages, the STA is connected to the AP. Subsequent STA also according to the actual situation, to determine whether the STA is to obtain an IP address can access the network, or the need for a variety of access authentication and key negotiations to access the network (the diagram is a portal authentication process for example, to obtain the IP is before access authentication, The order in which different authentication methods acquire the IP may vary, such as Mac authentication, which is obtained after access authentication. Ps: Access authentication and key negotiation is not necessarily carried out, during the STA Association phase, STA will determine whether access authentication and key negotiation are required based on the associated response message received. This is described later in the correlation phase. However, in the actual application, considering the security of wireless network, it usually chooses the authentication of access and key negotiation.
First stage: ScanningCustomer STA before the dart, the first to find their own satisfaction of the Pinkerton. Because Biaoju to meet the needs of the market, in different regions have different Pinkerton responsible for the business, and customers may move in different areas, so customers need to know in a timely manner what Pinkerton can be hired. Customers find a way to hire Pinkerton, which in the jargon is scanning. Customers can take the initiative to find Pinkerton, but also passively waiting for Pinkerton to send you the service information. When we connect to Wi-Fi on our phone, we usually have to look at what wireless signals are available on the current phone and then select a network access. In the picture is the mobile phone to search the wireless network, inside of that string of letters is what. By the way, the SSID we introduced earlier, which is the flag for each wireless network. And we are connected by clicking on one of the SSID you want to connect to. In fact, here is the embodiment of a message, to connect to the wireless network, you need to search the wireless network first. The STA's process of searching for a wireless network is called scanning. Of course, now many mobile phones in the Wi-Fi connection function, if the previous connected network can be connected, will automatically connect to the previous network, which is the mobile phone software to simplify the user's operation and design features, not that the phone does not have to scan the process. In fact, the scanning process is the mobile phone and other such STA automatic process, when we use, we see the results are already scanned. Scanning is divided into two categories: active and passive. As the literal meaning, the active scan refers to the STA actively detects the search wireless network, while the passive scanning means that the STA will only passively receive the wireless signal sent by the AP. See below for a detailed description of the process.
Proactive ScanningActively looking for Pinkerton in the process, the customer STA in its capacity within the scope of the initiative to find out what Pinkerton can help to bet darts. Now STA has gone to Biaoju to find all the Pinkerton that can provide service. Enter the Biaoju, Sta looked for a slightly higher position, shouted a voice, "there is a Pinkerton can help the dart no, there is a big deal", perhaps the big deal three words caused the attention of the Pinkerton, almost the shortest time, all the Pinkerton responded to the STA request. In general, in accordance with the requirements of the Longmen Biaoju, all the incumbent Pinkerton to respond to the needs of customers, is to enable customers to complete the acquisition of Pinkerton information, the main gu to provide more choices. What the STA needs to do now is to choose one of the most desirable Pinkerton. In the case of active scanning, the STA proactively sends a probe on the channel it supports to detect the surrounding wireless network, and the detection signal sent by the STA is called the probe request frame (Probe requests). Probe Request frames can also be divided into two categories, one is not specified any SSID, the class is specified by the SSID. 1, the detection request frame inside if
No SSID specifiedmeans that the probing request wants to get all the wireless network signals that can be acquired around it. All APs that receive this broadcast probe request frame will respond to the STA and indicate what their SSID is, so that the STA can search all the wireless networks around it. (Note that if the AP's wireless network is configured with the ability to hide the SSID in the beacon frame, the AP is not responding to the broadcast probe request frame of the STA, and the STA cannot obtain the SSID information in this way.) Sometimes STA found the enthusiasm of the Pinkerton is too much, in order to be able to quickly find the Pinkerton to hire, STA will directly shout out the name of Pinkerton, so that other Pinkerton nature will not bother, and only to be named Pinkerton will find forward, and customers to communicate. 2. In the probe request frame
The SSID is specified, which means that the STA only wants to find a specific SSID and does not need a wireless network other than the specified SSID. After the AP has received the request frame, only the SSID in the request frame is found and its SSID is the same, the STA will respond.
Passive ScanningIn addition to looking for Pinkerton by taking the initiative to Biaoju, Pinkerton also regularly sends messages or flyers to inform patrons that there are Pinkerton to offer darts services. Through these unsolicited messages or contact information on flyers, STA can also find Pinkerton that can be hired. The advantage of this, of course, is to make it easier for customers. In the case of passive scanning, the STA does not actively send the probe request message, it only has to do the passive receiving AP periodically send the beacon frame (beacon frame). The beacon frame of the AP will contain information such as the SSID of the AP and the rate of support, and the AP will send beacon frames to the outgoing broadcast periodically. For example, the default period for the AP to send Beacon frames is 100ms, i.e. the AP broadcasts a beacon frame every 100ms. The STA is informed about the presence of wireless networks by listening for Beacon frames on each channel it supports. (Note if the ability to hide the SSID in a beacon frame is configured in the wireless network, the SSID that is carried in the beacon frame sent by the AP is an empty string so that the STA cannot get the SSID information from the Beacon frame.) The STA searches for wireless signals by active or passive scanning. This is entirely determined by the STA's support situation. The wireless network card of a mobile phone or computer, in general, both of these scanning methods will support. The wireless network detected by either active or passive scanning is displayed in the network connection of the phone or computer for the user to choose to access. In general, VoIP voice terminals typically use passive scanning, which is designed to conserve power. When the phone scan to the wireless network signal, we can choose which network to access, then STA needs to enter the link authentication stage.
Phase II: Link AuthenticationWhen the STA found satisfactory Pinkerton, can not directly let Pinkerton escort the goods, but need to first through the Pinkerton certification, verify STA's legal eligibility before signing the DART agreement, to avoid illegal or malicious STA to carry out unspeakable activities. Longmen Biaoju offers several service packages (security policy), each of which includes different ways to verify the eligibility of the STA. However, in general, there are two ways to verify STA eligibility: Open system authentication and shared key authentication. Between the STA and the AP is connected through the wireless link, in the process of establishing this link, you need to request the STA through the Wireless Link authentication, only through the authentication before the STA and the AP Wireless Association. However, it is not yet possible to determine whether STA has access to the wireless network, the need to follow the STA whether to access authentication, whether through access authentication to judge. When it comes to certification, you may think of 802.1X certification, PSK authentication, open authentication and a bunch of authentication methods. What is the relationship between these authentication methods and the link certification? Before we solve this problem, let's start with a simple understanding of the security policy. Security policy embodies a set of security mechanisms, which includes the link authentication mode when the wireless link is established, the user access authentication mode when the wireless user goes online, and the data encryption method when the wireless user transmits the data service. As shown in the following table, the link authentication, access authentication, and data encryption methods for several security policies are listed.
Security Policy |
Link Authentication Method |
Access authentication Method |
Data encryption Method |
Description |
Wep |
Open |
does not involve |
No encryption or WEP encryption |
Unsafe security Policies |
Shared-key Authentication |
does not involve |
WEP encryption |
is still unsafe security policy |
Wpa/wpa2-802.1x |
Open |
802.1X (EAP) |
Tkip or CCMP |
Security policy with high security for large enterprises. |
Wpa/wpa2-psk |
Open |
Psk |
Tkip or CCMP |
High security policy for small to medium business or home users. |
Wapi-cert |
Open |
Pre-shared key identification |
SMS4 |
Made, application less, suitable for large enterprises and operators. |
Wapi-psk |
Open |
WAPI Certificate Identification |
SMS4 |
Made, less application, suitable for small businesses and home users |
Here again with this picture below to understand.
link authentication and access certification are two different stages of certification。 As can be seen from the table, security policy can be divided into WEP, WPA, WPA2 and WAPI Several, these security policies corresponding to the link authentication is only open and Shared-key authentication two, and 802.1X and PSK is the access authentication method. In addition, the user access authentication method is also included in the table is not listed in the MAC authentication and portal authentication. (Ps: For more security policies, Mac authentication, and portal authentication, you can refer to the feature description of WLAN security features and security features.) Now back to our topic, link Certification includes open and Shared-key authentication, what is the specific certification process?
Open System Authentication (authentication)In order to accelerate the speed of Pinkerton processing business, Longmen Biaoju used a method called open system certification to check the legitimate eligibility of customers, as long as the main prospect Dart request, Pinkerton will directly agree. Of course, this will be a security risk, so that non-legal customers can take advantage of, so in order to improve the security of biaoju, usually with this set of certification, will be in the back of the dart process in a strict way to check the legitimate eligibility of customers. Open System certification abbreviation is open certification, also known as non-certification. However, it is important to note that not authentication is also a way of authentication, but this type of link authentication, as long as there is an STA to send authentication requests, AP will allow its authentication success, is an unsafe authentication method, so the actual use of this link authentication method and other access authentication method is usually used in combination to improve security.
Shared key authentication (Shared-key authentication)Another way to call the shared key authentication, requires the customer and Pinkerton to determine the good one code, the customer issued a request for a dart, Pinkerton will use the way to verify the identity of the customer's legitimacy. Through the certification will give customers to handle the DART business. See the shared key authentication, from the name easily reminiscent of the pre-shared key authentication PSK (pre-shared key authentication), in fact, shared key authentication is a link authentication method, and pre-shared key authentication is a user access authentication mode, The process of two authentication methods is actually similar. The process of shared key authentication is only four steps, before authentication, it is necessary to configure the same key on both STA and AP, otherwise it is not successful. The first step in authentication is to send an authentication request to the AP by the Sta. The AP then generates a challenge phrase after it receives the request, and then sends the challenge phrase to the STA, assuming the challenge phrase is a. The STA then encrypts the challenge phrase with its own key key, encrypts it and then sends it to the AP, assuming the encryption becomes B. Finally, the AP receives an encrypted message B from the STA and decrypts it with its own key key. As long as the key configuration on the STA and AP is consistent, the decrypted result will be A,ap will compare this result with the first to send to STA challenge phrase, found that the result is consistent, then told the STA authentication success, inconsistent results will fail authentication. After successful link authentication, the STA can proceed to the next phase of the association.
Phase III: Correlation After verifying the legitimate eligibility of the customers, Pinkerton will be invited to the reception room, ready to sign the DART agreement. STA will prepare all kinds of protocol materials to Pinkerton, and then Pinkerton will submit these materials to the DART Head, the current dart head AC to review the agreement signed. After the completion of the audit, Pinkerton the head of the audit signed the results submitted to the customer. At this point, the STA completed the DART process.