In this post we will see how “Over-the-DS Fast BSS Transition” works. We will use the same topology as shown below.
Originally Client is associated to LAP2 & then roam to LAP1.One thing you have to understand is the two APs communicate with each other over the DS (distribution system) & hence called it “Over-the-DS fast BSS transition“. So you have to capture that communication over the wire. At this time I have enabled “Over-the-DS FT” support on the WLAN.
3850-1#show wlan id 22 WLAN Profile Name : MRN-EAP ================================================ Identifier : 22 Network Name (SSID) : MRN-EAP Status : Enabled Broadcast SSID : Enabled . 802.1x authentication list name : MRN-DOT1X Security 802.11 Authentication : Open System Static WEP Keys : Disabled 802.1X : Disabled Wi-Fi Protected Access (WPA/WPA2) : Enabled WPA (SSN IE) : Disabled WPA2 (RSN IE) : Enabled TKIP Cipher : Disabled AES Cipher : Enabled Auth Key Management 802.1x : Enabled PSK : Disabled CCKM : Disabled FT dot1x : Enabled FT PSK : Disabled PMF dot1x : Disabled PMF PSK : Disabled FT Support : Enabled FT Reassociation Timeout : 20 FT Over-The-DS mode : Enabled PMF Support : Disabled PMF Association Comeback Timeout : 1 PMF SA Query Time : 200
I have simply configure a monitor session on my 3850 to capture this “Over-the-DS” communication & at the same time sniffing on CH36 (where LAP1-target AP) operates. Here is the 3850 monitor session configs where G1/0/2 is LAP2 connected switchport & G1/0/3 is connected to PC running wireshark monitoring PC’s Ethernet NIC.
3850-1# monitor session 1 source interface Gi1/0/2 monitor session 1 destination interface Gi1/0/3
Here is the “Over-the-DS” capture looks like. As you can see below there are two action frames [ you can filter it in wireshark suing (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0d) display filter). Here is the FT Action Request frame sent by the STA address (04f7.e4ea.5b66) to the target AP address of LAP1’s BSSID (64a0.e7af.474e) under fixed parameters. You can see in the original 802.11 wireless headers source address is the client MAC & destination address is LAP2’s BSSID (2c3f.382a.b12e). In other words this FT Action Request frame is going to target AP via the original AP.
LAP2 (192.168.20.166) will encapsulate original wireless frame onto CAPWAP & send to WLC management address (192.168.20.1) as CAPWAP Data frame (Dst Port UDP 5247).
You can see RSNIE, MDIE & FTIE information elements in this frame. MDIE has “FT over DS” bit set to 1 indicating it is using “Fast BSS transition over DS” mechanism. FTIE include SNonce, R0KH-ID as well.
In response to FT Action Request frame, Target AP (LAP1 in this case) send a FT Action Response frame. Here is that frame. You can see in this frame as well STA address (04f7.e4ea.5b66), Target AP Address (64a0.e7af.474e), action code “FT Response” with status code “Successful“.
In the 802.11 wireless header, source address is 2c3f.382a.b12e which is LAP2 & destination address is 04f7.e4ea.5b66 indicating response is coming via original AP (LAP2).
In this frame as well you can see RSNIE, MDIE & FTIE information. In FTIE you can see ANonce, SNonce, R1KH-ID & R0KH-ID
Now here is the wireless sniff on CH36 looks like (target AP operating frequency). As you can see there are “Re-association Request” & “Re-association Response” frames (#437 & 439). Timing wise you can see the FT occur within 88ms (time from FT Action Request frame to Re-association Response frame). Here is the detail view of “Re-association Request” frame. This frame sends by client (04f7.e4ea.5b66) to target AP,LAP1 (with BSSID:64a0.e7af.474e). This is an over the air communication. As you can see it list the current AP(2c3f.382a.b12e) which is LAP2. FTIE includes MIC, SNonce, ANonce, R1KH-ID, R0KH-ID information.Then Target AP send the “Re-association Response” frame with status code “Successful” Here is the detail view of “Re-association Response” frame. FTIE includes ANonce, SNonce, R1KH-ID, R0KH-ID & GTK for broadcast/multicast encryption.Here is the summary view of Over-the-DS Fast BSS Transistion frame exchange that we described earlier.(page 271 of CWSP Official Study Guide)References
1. LAP2-LAP1-Over-DS (Over the DS wired frame capture)
2. iphone5-EAP-FT-over-DS-ch36 (Over the air CH36 wireless frame capture)
3. CWSP Official Study Guide – Chapter 7
4. 802.11r, 802.11k, and 802.11w Deployment Guide, Cisco IOS-XE Release3.3