RSN-IE (Robust Security Network Information Element) is an optional field of variable length that can be found in 802.11 management frames.RSN element has an element ID of 48 & present in below different management frames
1. Beacon frames.(send by AP)
2. Probe Response frames.(send by AP)
3. Association Request frames.(send by Client)
4. Reassociation Request frames (Send by client)
All 802.11 radios will use one cipher (pairwise) suit for unicast encryption & another cipher(group) for encrypting multicast/broadcast traffic. Below are the different cipher suite values.
00-0F-AC-04 (CCMP) is the default
00-0F-AC-02 (TKIP) is optional.
00-0F-AC-01 (WEP-40)
00-0F-AC-05 (WEP-104)
When station supports several ciphers, it always chooses the stronges one first (ie CCMP, TKIP, WEP-104, WEP-40)
RSN-IE also used to indicate what authentication methods are supported. The Authentication Key Management (AKM) suite indicate whether the station support 802.1X or PSK authentication. Below are the 3 different AKM suite values depend on the Authentication method used.
00-0F-AC-01 (802.1X)
00-0F-AC-02 (PSK)
00-0F-AC-03 (FT over 802.1X)
Here is the structure of RSN element.
Below shows sample wireless frame captures of those 4 different type of frames where RSN-IE field exists.
Here is a beacon frame.You can filter Beacon frames in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08) filter. As you can see below both Group & Pairwise cipher is CCM-AES (00-0F-AC-04) & AKM suite is PSK (00-0F-AC-02)
Here is a Probe Response frame. You can filter Probe Response frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05) wireshark filter.
Here is a Association Request frame.You can filter Association Request frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00) wireshark filter.
Here is a Reassociation Reuest frame. You can filter these frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02) wireshark filter. As you can see it uses AKM suite of 00-0F-AC-01 (802.1X) & CCM-AES (00-0F-AC-04) encryption ciphers.
When you have multiple cipher suites (for mixed client support) Group Cipher should be always lowest denominator.(ie if CCMP, TKIP & WEP ciphers, group cipher should be WEP)
References.
1. http://www.my80211.com/8021x/2010/7/4/george-stefanick-cwsp-journey-chapter-5-rsn-post2-742010.html
2. CWSP-Official Study Guide (page 184-188)
Related Posts
1. CWSP – L2 Encryption Method:CCMP
2. CWSP – L2 Encryption Method:TKIP
3. CWSP – 4 Way Handshake
4. CWSP – Legacy 802.11 Security
5.
6.
mrn-cciew 
What a nice blog.
I just came across following event in Cisco Prime 3.0.3, seems to be related to this blog, any ideas anyone? >>>>
Client ’08:6d:41:ca:ae:46 (0.0.0.0)’ failed to associate with interface ‘802.11a/n’ of AP ‘LAP-01667-02-0002-‘. The reason code is ’42(Unicast cipher Invalid)’.
Following log entry can be found in WLC >>>>>
*apfMsConnTask_2: Aug 23 09:06:19.304: %APF-3 VALIDATE_DOT11i_CIPHERS_FAILED: apf_rsn_utils.c:984 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:08:6d:41:ca:ae:46
Best regards,
Koen
Hello Rasika,
I searched a bit but I didn’t find out on the internet, is the Authentication Key Management suite part of a standard ?
I try to summarize when I can enable Fast Transition on not (even if there is the adaptive mode).
Kind Regards,
Thomas
Tnx a l ot.
thanks you
Pingback: Dual Authentication Key Management (AKM) – A Journey to Fast Transition (FT) – John Waas