WPA2 Association Requirements (Compact 2013)
3/26/2014
After authentication is complete, Wi-Fi devices can associate, or register, with an access point (AP)/router to gain full access to the network. Association enables the AP/router to record each device so that frames may be delivered.
WPA2 Association Requirements
Before a device that supports the 802.11x standard can associate and authenticate by using Wi-Fi Protected Access 2 (WPA2), it must be configured as follows:
- The driver's network mode must have previously been set to Ndis802_11Infrastructure.
- The driver's encryption mode must have previously been set to Encryption3 through the object identifier OID_802_11_ENCRYPTION_STATUS.
- For infrastructure networks, the driver's authentication mode must have previously been set to either Ndis802_11AuthModeWPA2 or Ndis802_11AuthModeWPA2PSK through OID_802_11_AUTHENTICATION_MODE.
- The driver's desired service set identifier (SSID) must have been previously set through OID_802_11_SSID.
The 802.11x device must process the Robust Secure Network (RSN) information element (IE) for WPA2 associations. The RSN IE has an element identifier of 0x30. The device only associates with an AP whose beacons or probe responses contain the RSN IE.
The device can associate only if it finds a match of its encryption and authentication modes in the RSN IE from the beacon or probe response. In the 802.11x association request that it sends, the device must prepare an RSN IE with the matching authentication and encryption modes that it can use.
If the miniport driver has entries in its pairwise master key PMK cache, then it must include those entries in the PMKID list member of the RSN IE that it sends within the 802.11x association or re-association request to the AP
Warning
When queried for OID_802_11_ASSOCIATION_INFORMATION, the miniport driver must return the RSN IE that it sent in the 802.11x association request. This RSN IE is required by the supplicant for processing the WPA2 authentication handshake protocol.