RSN-IE (Robust Security Network Information Element) is an optional field of variable length that can be found in 802.11 management frames.RSN element has an element ID of 48 & present in below different management frames

1. Beacon frames.(send by AP)
2. Probe Response frames.(send by AP)
3. Association Request frames.(send by Client)
4. Reassociation Request frames (Send by client)

All 802.11 radios will use one cipher (pairwise) suit for unicast encryption  & another cipher(group) for encrypting multicast/broadcast traffic. Below are the different cipher suite values.

00-0F-AC-04 (CCMP) is the default
00-0F-AC-02 (TKIP) is optional.
00-0F-AC-01 (WEP-40)
00-0F-AC-05 (WEP-104)

When station supports several ciphers, it always chooses the stronges one first (ie CCMP, TKIP, WEP-104, WEP-40)

RSN-IE also used to indicate what authentication methods are supported. The Authentication Key Management (AKM) suite indicate whether the station support 802.1X or PSK authentication. Below are the 3 different AKM suite values depend on the Authentication method used.

00-0F-AC-01 (802.1X)
00-0F-AC-02 (PSK)
00-0F-AC-03 (FT over 802.1X)

Here is the structure of RSN element.

CWSP-RSN-5Below shows sample wireless frame captures of those 4 different type of frames where RSN-IE field exists.

Here is a beacon frame.You can filter Beacon frames in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08) filter. As you can see below both Group & Pairwise cipher is CCM-AES (00-0F-AC-04) & AKM suite is PSK (00-0F-AC-02)

CWSP-RSN-1Here is a Probe Response frame. You can filter Probe Response frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05) wireshark filter.

CWSP-RSN-2Here is a Association Request frame.You can filter Association Request frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00) wireshark filter.

CWSP-RSN-3Here is a Reassociation Reuest frame. You can filter these frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02) wireshark filter. As you can see it uses AKM suite of 00-0F-AC-01 (802.1X) & CCM-AES (00-0F-AC-04) encryption ciphers.

CWSP-RSN-4When you have multiple cipher suites (for mixed client support) Group Cipher should be always lowest denominator.(ie if CCMP, TKIP & WEP ciphers, group cipher should be WEP)

1. http://www.my80211.com/8021x/2010/7/4/george-stefanick-cwsp-journey-chapter-5-rsn-post2-742010.html
2. CWSP-Official Study Guide (page 184-188)

Related Posts

1. CWSP – L2 Encryption Method:CCMP
2. CWSP – L2 Encryption Method:TKIP
3. CWSP – 4 Way Handshake
4. CWSP – Legacy 802.11 Security