WPA2 Pre-Authentication (Compact 2013)
3/26/2014
Miniport drivers that support Wi-Fi Protected Access 2 (WPA2) must support pre-authentication.
WPA2 Pre-Authentication
Drivers advertise support for pre-authentication in response to a query of object identifier (OID) 802.11x regarding capability. The driver must return, in the NoOfPMKIDs member of the NDIS_802_11_CAPABILITY structure, the number of pairwise master key identifiers PMKIDs that it can support. The NoOfPMKIDs value must be within a range from 3 through 16.
WPA2 pre-authentication is managed through lists that are exchanged between the miniport driver and the 802.11x supplicant.
Roaming Candidate List
The driver manages the roaming candidate list from the Basic Service Set Identifiers (BSSIDs) that belong to the associated Service Set Identifier (SSID) that it finds in its cached BSSID scan list. The driver indicates the presence of this list to the supplicant through media-specific Pairwise Master Key Security Association (PMKSA) candidate list indications. When making PMKID candidate list indications, the driver indicates its roaming candidates through the NDIS_802_11_PMKID_CANDIDATE_LIST structure.
PMK Cache
The supplicant manages the roaming candidate list from the BSSIDs in the associated SSID with which it has pre-authenticated. The supplicant sets the PMK cache on the driver through OID_802_11_PMKID. The 802.11x device uses the PMKID cache whenever it associates or re-associates with a BSSID within the desired SSID.
The device that supports 802.11x uses the PMK cache only for roaming between access points (APs) within the BSS. The PMK cache is not used for the device's initial association to any AP within the desired SSID.
Pre-authentication is only used under the following conditions:
- The driver's network mode is set to Ndis802_11Infrastructure.
- The driver's authentication mode is set to Ndis802_11AuthModeWPA2.
- The driver is currently associated with an AP and authenticated through WPA2.
Pre-authentication occurs after the driver’s first association with an AP following the setting of OID_802_11_SSID. The pre-authentication requires the following steps:
After the 802.1x supplicant completes the WPA2 authentication, it transfers the pairwise and group keys to the driver through one or more OID_802_11_ADD_KEY set operations.
After the keys are transferred, the driver prepares its initial roaming candidate list. The elements of this list are based on the BSSIDs from the desired SSID in the driver's cached BSSID scan list. The driver sorts the roaming candidate list based on its own priority ranking. For example, the driver can sort the list based on the received signal strength indication (RSSI).
The driver makes its initial PMKID candidate list indication by using the entries from its current roaming candidate list.
Warning
The driver must not make any PMKID candidate list indications until it is associated and pairwise and group keys have been transferred through OID_802_11_ADD_KEY set operations. After the keys have been transferred, the supplicant has completed the WPA2 authentication and is ready to accept PMKID candidate list indications.
The supplicant replaces its PMKID candidate list with the driver's roaming candidate list.
The supplicant takes the intersection of its PMKID candidate list and the master PMK table and sends the results to the driver through a setting of OID_802_11_ADD_KEY. If no entries from the PMKID candidate list match any entries in the master PMK table, then the supplicant does not issue an OID_802_11_PMKID set command to the driver.
After setting OID_802_11_PMKID, the supplicant initiates pre-authentication for each entry in its PMKID candidate list that does not match an entry in the master PMK table. The supplicant pre-authenticates each entry based on the priority order of the PMKID candidates as indicated by the driver through its PMKID candidate list indication.
When the supplicant obtains, by pre-authentication, a new entry in the master PMK table that matches a PMKID candidate in the supplicant's PMKID candidate list, the supplicant indicates the PMKID candidate to the driver by setting OID_802_11_PMKID.
OID Flow During WPA2 Pre-Authentication
While the device is associated with an AP that is in the desired SSID, the driver can make additional PMKID candidate list indications. For example, the driver might make a status indication if it finds additional BSSIDs that it has not previously indicated.
When making the PMKID candidate list indication, the driver must include the list of BSSIDs that are the best roaming candidates. Based on its priority ranking, the driver can include the best candidates from the roaming candidate list in addition to entries from the PMK cache. We recommend that the driver keep the frequency of these indications to a minimum. For example, the driver must not make a PMKID candidate list indication if only one new entry was added to its roaming candidate list. Instead, it must make the indication after a new high has been reached for entries inserted into its roaming candidate list.