Page 417 - From GMS to LTE
P. 417
Wireless Local Area Network (WLAN) 403
Figure 6.8 Authentication and association of a client device Access
with an access point. Terminal point
Authentication
(open system)
Authentication
(successful)
Association request
(SSID of the system)
Association response
(successful,
association ID,
capability information)
User data
Once authenticated successfully, the client device has to perform an association
procedure with the AP. The AP answers an association request message by returning an
Association Response message, which once more contains all necessary information
about the wireless network, for example, the capability IE. Furthermore, the AP assigns
an association ID, which is also included in the Association Response message. It is used
later by the client device to enter power‐saving (PS) mode. Authentication and associa-
tion with an AP are two separate procedures. This allows a client device to quickly roam
between different APs. Once a device is authenticated by all APs, it only has to perform
an association procedure to roam from one AP to another.
Figure 6.8 shows the message flows of the authentication and association procedures.
Acknowledgment (ACK) frames (see Section 6.5) are not shown for clarity.
Once the association with an AP has been performed successfully, user data packets
can be exchanged. In the past, a device was informed via a capability Information
Element (IE) in the Association Response message if Wired Equivalent Privacy (WEP)
encryption was used to cipher the subsequent user data exchange. However, it was soon
discovered that WEP contained a number of severe security flaws. As a consequence
new algorithms and procedures have been standardized that require a further informa-
tion exchange before ciphering can be activated. More about this topic can be found in
Section 6.7.
Authentication and encryption are independent of each other. Therefore, APs are
usually configured to use the open system ‘authentication’ and to only use the shared
secret key for encryption of the data packets. Devices that do not know the shared
secret key or that use an invalid key can, therefore, authenticate and associate success-
fully with an AP but cannot exchange user data.
If a client device uses an ESS with several APs (see Figure 6.4), it can change to a dif-
ferent AP which is received with a better signal level at any time. The corresponding
reassociation procedure is shown in Figure 6.9. To be able to find the APs of an ESS, the
client device scans the frequency band for beacon frames of other APs when no data has
to be transmitted. As all APs of the same ESS transmit beacon frames containing the
same SSID, client devices can easily distinguish between APs belonging to the current
