In this post, we will delve into FILS Discovery in relation to how 6GHz stations use it to discover APs on the 6GHz band. We previously provided an overview of FILS in a separate post.
“FILS Discovery” is one of the “In-band Discovery” techniques used in 6GHz operations (although not all clients may support it). If you haven’t had a chance to read Part 1 of the 6GHz AP Discovery blog series, I recommend going through it as it covers the fundamental configurations I’m utilizing in Cisco 9800 WLC.
I am using the same test setup and enabled only 6GHz for “mrn-psk” SSID to test “In-band Discovery”
I have enabled “FILS Discovery” under the 6GHz RF Profile. Even though we selected “none” in the previous post, we observed AP advertised “FILS Discovery” messages on the 6GHz band as long as we have disabled legacy bands (2.4GHz/5GHz) for the given SSID.
A 6GHz client has to follow certain guidelines before actively probing for a 6GHz channel. They have to wait for a Probe Delay Time (approx ~20ms) before actively sending a probe request. If FILS is implemented that allows enough time for the client to see the FILS discovery message which gives information about BSSID/AP.
There are specific rules given below in 802.11ax-2021 amendment for 6GHz scanning. (ref sec 26.17.2.3).
- A STA 6G shall not transmit a Probe Request frame to the broadcast destination address that includes a Short SSID List element with more than one Short SSID field.
- The non-AP STA shall not transmit a Probe Request frame to the broadcast destination address with the Address 3 field set to the wildcard BSSID and the SSID set to the wildcard SSID.
- The non-AP STA shall not send a Probe Request frame to the broadcast destination address with the Address 3 field (BSSID) set to the BSSID of an AP from which it has already received a Probe Response or a Beacon frame since the start of its scanning on that channel.
- The non-AP STA shall not send a Probe Request frame to the broadcast destination address with the Address 3 field (BSSID) set to the BSSID of a nontransmitted BSSID if it has already received the nontransmitted BSSID profile for that BSSID via a Beacon frame or Probe Response frame sent by the transmitted BSSID since the start of its scanning on that channel.
In short 6GHz clients cannot send “Null probe requests” and they cannot send probe requests for a BSSID during the scan cycle if they already received a beacon or probe response from that AP.
Here is a PCAP taken while Intel AX211 and Pixel6 connect to this SSID. AP advertises FILS support in “Extended Capabilities” information element.
As you can see below you will see FILS discovery messages in every ~20ms interval. Those frames are small in size -89B (compared to the Beacon frame -332B in my setup). Those FILS discovery messages provide enough information for a client STA to discover an AP for a given SSID.
The “FILS Discovery” frame includes the following information fields. Please some of those are optional fields
You can see that the FILS frame lists a short SSID (0xeb1a3ecf) which is the CRC-32 calculated from my SSID name “mrn-psk”. You can use an online CRC calculator to confirm that as shown below. Looks like it uses bit order reverse (eb1a3ecf in Wireshark vs cf3e1aeb in below)
In the FILS discovery frame, you got “Frame Control“, “Capability” & “Tx Power Envelop” information.
The “Capability” subfield contains capabilities and operational indications of the STA transmitting the FILS discovery frame. These include BSS operating channel width, max Spatial Stream of AP, Multiple BSSID support, PHY, and Min rate for FILS frames.
A STA operates in 6GHz band to determine local and regulatory client maximum power from “Tx Power Envelop” element. The below image shows the FILS discovery message including the details of “TX Power Envelop” subfield.
You can see my Pixel6 (fe:5b:ff:5d:38:be) indicates its support for FILS in Probe Request frames.
However, the Netgear USB client (94:18:65:3d:74:7d)does not support FILS. Also, it sends “Null Probe Requests” which is not allowed as per standard.
As you can see client’s behavior depends on each vendor’s implementation.
One drawback of FILS is that its discovery messages are transmitted approximately every 20ms. While these messages are small in size, their frequent transmission can lead to increased management overhead. In the capture above (single C9166), ~10% of the frames are FILS discovery messages (89 bytes) whereas ~2.7% are Beacon frames (322 bytes).
This is one reason why most of the 6GHz clients/AP prefer “Out-of-band Discovery” instead of “In-band Discovery” methods like FILS.
In the next post, we will look at “Unsolicited Probe Responses”, another method of “In-band Discovery” in 6GHz operation.
mrn-cciew 
Thanks for the post.
Is FILS enough for the client to associate?
Or STA has to wait until received a beacon?
Or STA would send a probe request?
Hi Joe,
FILS is to let client to discovery SSID faster (sending those small-size frames in every 20ms). Once STA discover, it can go through association. Active probing for discovery is discouraged in 6GHz.
Anyway almost all the client use RNR ( out of band discovery) to learn about 6 GHz SSID. Therefore FILS is rarely used by clients.
HTH
Rasika
Thanks, so FILS is enough for client to associate a SSID,right?