Authentication Indications

The 802.11 miniport driver makes an authentication indication whenever the WPA authentication state changes. For example, the driver can make an authentication indication when any of the following occur:

  • The device detects a Michael Message Integrity Code (MIC) data integrity error while decrypting a received packet by using either the TKIP pairwise or group key.

  • The device requests a pairwise key update.

  • The device requests authentication or reauthentication to a BSSID.

When making the authentication indication, the StatusBufferparameter of NdisMIndicateStatuspoints to a driver-allocated buffer that contains the following structures:

NDIS_802_11_STATUS_TYPE  StatusType;
NDIS_802_11_AUTHENTICATION_REQUEST  AuthenticationRequest[1];

When making authentication indications, the driver must set the StatusTypemember to Ndis802_11StatusType_Authentication.

The AuthenticationRequest member is an array containing one or more entries with a structure of the following type:

typedef struct _NDIS_802_11_AUTHENTICATION_REQUEST
{
  ULONG  Length;
  NDIS_802_11_MAC_ADDRESS  Bssid;
  ULONG  Flags;
} NDIS_802_11_AUTHENTICATION_REQUEST, *PNDIS_802_11_AUTHENTICATION_REQUEST;

The members of this structure contain the following information:

  • Length
    The length, in bytes, of the NDIS_802_11_AUTHENTICATION_REQUEST structure.

  • Bssid
    The BSSID of an access point (AP) within the BSS identified by the desired SSID. When the miniport driver is reporting data integrity errors, the Bssid member must be set to the BSSID of the AP the device is currently associated with. Otherwise, the Bssid member can be set to the BSSID of any AP within the BSS.

  • Flags
    The type of authentication indication that the miniport driver is making. The Flags member is a bitmask that can be set with one or more of the following flags:

    • NDIS_802_11_AUTH_REQUEST_REAUTH (0x01)
      When set, requests an 802.1X reauthentication. If the 802.1X supplicant has not authenticated the specified BSSID, then it authenticates the BSSID. If the supplicant has already authenticated the specified BSSID, then it re-authenticates the BSSID only if the NDIS_802_11_AUTH_REQUEST_GROUP_ERROR flag is also set. The NDIS_802_11_AUTH_REQUEST_REAUTH and the NDIS_802_11_AUTH_REQUEST_KEYUPDATE flags are mutually exclusive; that is, they cannot be set at the same time.

      Note The driver must not request BSSID pre-authentication if its authentication mode is set to Ndis802_11AuthModeWPA2. Instead, the driver requests BSSID pre-authentication through PMKID candidate list indications.

    • NDIS_802_11_AUTH_REQUEST_KEYUPDATE (0x02)
      When set, requests a pairwise key update. A miniport driver can request a key update only after the 802.1X authentication has completed and keys have been transferred to the driver through OID_802_11_ADD_KEY set operations. When this flag is set, the 802.1X supplicant initiates a key update by sending an EAPOL-Key message.

      Note The NDIS_802_11_AUTH_REQUEST_KEYUPDATE and NDIS_802_11_AUTH_REQUEST_REAUTH flags are mutually exclusive; that is, they cannot be set at the same time.

      If this bit is set, then the 802.1X supplicant sends an EAPOL-Key message with the Request subfield set, the Error subfield cleared, and the Key Type subfield set. For more information about the EAPOL-Key message, refer to section 8.5.2 of the IEEE 802.11i-2004 specification.

    • NDIS_802_11_AUTH_REQUEST_PAIRWISE_ERROR (0x06)
      When set, indicates that the device detected a data integrity error in the pairwise key for the BSSID. The device must discard any data packets that will be decrypted by using this pairwise key, except IEEE 802.1X EAPOL packets.

      If the NDIS_802_11_AUTH_REQUEST_PAIRWISE_ERROR bits are set, then the 802.1X supplicant sends an EAPOL-Key message with the Request subfield set, the Error subfield set, and the Key Type subfield set.

    • NDIS_802_11_AUTH_REQUEST_GROUP_ERROR (0x0E)
      When set, indicates that the device detected a data integrity error in one of the group keys for the BSSID. The device must delete all group keys for this BSSID before making this indication.

      If the NDIS_802_11_AUTH_REQUEST_GROUP_ERROR bits are set and NDIS_802_11_AUTH_REQUEST_REAUTH is not set, then the 802.1X supplicant sends an EAPOL-Key message with the Request subfield set, the Error subfield set, and the Key Type subfield cleared.

    Other bits in the Flags member must be set to 0.

If the device is associated and using TKIP as its encryption cipher, then the miniport driver must support TKIP countermeasures. Consequently, if the driver indicates two data integrity errors within 60 seconds, then it must do the following:

  • The driver must immediately stop sending non-802.1X EAPOL packets.

  • After the device has transmitted the next 802.1X EAPOL message after making the authentication indication, the device must disassociate. It must remain disassociated for 60 seconds.

When requesting pre-authentication, the miniport driver must do the following:

  • The driver orders BSSIDs in the list according to driver-determined preference. For example, the driver can list BSSIDs based on RSSI values.

    The most preferred BSSIDs must be first. The list can contain a maximum of five NDIS_802_11_AUTHENTICATION_REQUEST structures, one for each BSSID. The StatusBufferSize parameter of NdisMIndicateStatus must reflect the number of NDIS_802_11_AUTHENTICATION_REQUEST structures in the StatusBuffer parameter. The current associated BSSID must always be in the StatusBuffer, but may not be first if the list contains multiple BSSIDs.

  • The driver must incorporate some damping on the list of BSSIDs in the authentication indication. For example, the driver must not make authentication indications for BSSIDs that frequently move in and out of range. The driver must only request pre-authentication for BSSIDs when the device is evaluating whether to roam to another BSSID.

  • The driver must make the authentication indication if the device is preparing to roam, even if there are no other BSSIDs available. In this case, the driver includes in the list only the currently associated BSSID.

Send comments about this topic to Microsoft