Once a client station is discover a SSID (Probe Request/Response or listening to Beacons) it move to Join phase. This exchange comprise of at least 4 frames
1. Authentication (Request)
2. Authentication (Response)
3. Association Request
4. Association Response
The frame format of those Authentication frames are as shown below.(from page 136- CWAP Official Study Guide)
As you can see above, frame body of an Authentication Frame consist of the following filds
1. Authentication Algorithm Number – 0 for Open System & 1 for Shared Key
2. Authentication Transaction Sequence Number -Indicate current state of progress
3. Status Code – 0 for Success & 1 – Unspecified failures
4. Challenge Text – Used in Shared Key Authentiction frame 2 & 3
Below table summarize the authentication frame field values & usages.(from page 137- CWAP Official Study Guide)
The initial purpose of the authentication frame is to validate the device type (verify that the requesting station has proper 802.11 capability to join the cell). This exchanged is based on simple two-frame (Auth Request & Auth Response) called Open System.
In IEEE 802.11-1997 standard included a WEP shared key exchange authentication mechanism called “Shared Key” where 4 authentication frame exchange. (when more complex authentication like 802.1X/EAP in place, Open System is used first & then complex method followed by Association frames). Below shows a Open System Authentication (note that all unicast frame ACK, so Auth frames get acknowledged)
Below diagrams show an Open System authentication frame exchange & associate packet capture. Here is the first Authentication Frame in this exchange (frame 247). You can see the Authentication Algorithm Number is 0 (indicate Open System). Auth Seq Number is 1 indicate this is the first Authentication Frame in the given exchange. Status code is Reserved for the first frame (refer the table above)
Here is the 2nd Auth Frame (Auth Response) of the Open System frame exchange. As you can see here, Auth Seq Number is 2 indicating this is Auth Response frame. Also status code is 0 indicating successful Open System Authentication.
Even in a 802.1X/EAP Authentication, Always Open System Authentication occur first & then followed by EAP Authentication & 4 Way handshake prior to encrypt data. Here is 802.11r FT Association where 802.1X frame exchange after the Open System Authentication & Association completes.
Here is the 2nd Auth Frame (Auth Seq No=2) . Note that this frame contain a “Challenge Text”. It is expected receiving device of this frame encrypt it using WEP & send it inside Auth frame 3.Here is the 3rd Auth Frame in that exchange. You can see WEP encryption usedHere is the last frame (Auth Seq No =4) of Shared Key Authentication. Note that Status code=0 indicate Successful Authentication.