{"id":5738,"date":"2025-11-02T18:23:39","date_gmt":"2025-11-02T17:23:39","guid":{"rendered":"https:\/\/cyber-fi.net\/?p=5738"},"modified":"2025-11-02T18:23:40","modified_gmt":"2025-11-02T17:23:40","slug":"analysis-of-a-fast-roam","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2025\/11\/02\/analysis-of-a-fast-roam\/","title":{"rendered":"Analysis of a Fast Roam"},"content":{"rendered":"\n<p>This year, I was able to present at WLAN Klassentreffen (in German) and the Wireless LAN Professionals Conference (in English) on the Topic <em>Fast BSS Transition<\/em>, IEEE 802.11r.<\/p>\n\n\n\n<p>If you want to look at the references in the 802.11 standard, it&#8217;s all based on the 2020 version.<\/p>\n\n\n\n<p>This is the recorded WLPC-Video:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Analysis of a Fast Roam | Karsten Iwen | WLPC Prague 2025\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/_4u_KdfN6mk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>And here is the slide deck for the presentation:<\/p>\n\n\n\n<div data-wp-interactive=\"core\/file\" class=\"wp-block-file\"><object data-wp-bind--hidden=\"!state.hasPdfPreview\" hidden class=\"wp-block-file__embed\" data=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/FastBSSTransition-WLPC-EU-2025.pdf\" type=\"application\/pdf\" style=\"width:100%;height:600px\" aria-label=\"Embed of FastBSSTransition-WLPC-EU-2025.\"><\/object><a id=\"wp-block-file--media-dda88d79-cf43-417b-aeae-cffd91126ffa\" href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/FastBSSTransition-WLPC-EU-2025.pdf\">FastBSSTransition-WLPC-EU-2025<\/a><a href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/FastBSSTransition-WLPC-EU-2025.pdf\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-dda88d79-cf43-417b-aeae-cffd91126ffa\">Download<\/a><\/div>\n\n\n\n<p>This is the PCAP that I used in the presentation: <\/p>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-da2ac0ae-30f9-4767-b4e1-77f3a04e7c43\" href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/Pixel-11r-Meraki9166.pcapng.zip\">Pixel-11r-Meraki9166.pcapng<\/a><a href=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/Pixel-11r-Meraki9166.pcapng.zip\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-da2ac0ae-30f9-4767-b4e1-77f3a04e7c43\">Download<\/a><\/div>\n\n\n\n<p>And Youtube &#8230; Why do you want to hurt my feelings with your transcription?<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"862\" height=\"160\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/CleanShot-2025-11-01-at-00.52.50@2x.jpg\" alt=\"\" class=\"wp-image-5752\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/CleanShot-2025-11-01-at-00.52.50@2x.jpg 862w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/CleanShot-2025-11-01-at-00.52.50@2x-300x56.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/10\/CleanShot-2025-11-01-at-00.52.50@2x-768x143.jpg 768w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><figcaption class=\"wp-element-caption\">Screenshot<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Here are some additional infos to the WLPC video:<\/p>\n\n\n\n<p><strong>8:15<br><\/strong>Very important for this Frame by Frame analysis is, that in Meraki Networks we do not have a controller. The AP that our client connects to initially, is the first Authenticator that talks to the RADIUS server and becomes the R0KH. On my <s>Juniper Mist<\/s> HPE Juniper networking APs, I observed the same behaviour.<\/p>\n\n\n\n<p><strong>8:20<br><\/strong>I say &#8220;Initial Mobility Domain Connection&#8221;, but the correct term is &#8220;Initial Mobility Domain Association&#8221;.<\/p>\n\n\n\n<p><strong>9:40<\/strong><br>I forgot to reference the standard in the presentation: <em>13.2.2 Authenticator key holders<\/em><\/p>\n\n\n\n<p><strong>10:20<br><\/strong>EAP-TLS 1.3 is defined in RFC 9190: <a href=\"https:\/\/datatracker.ietf.org\/doc\/rfc9190\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/datatracker.ietf.org\/doc\/rfc9190\/<\/a><\/p>\n\n\n\n<p><strong>10:57<\/strong><br>I didn&#8217;t mention it, but this is also true for cached PMK-R1 and derived PTKSAs.<\/p>\n\n\n\n<p><strong>11:23<br><\/strong>I accidentally said R1KH instead of R0KH for the calculation of the PMK-R0.<\/p>\n\n\n\n<p><strong>11:45<br><\/strong>yes, it was AKM 22.<br><em>Table 9-190\u2014AKM suite selectors<\/em> in <em>IEEE 802.11-<strong>2024<\/strong><\/em><br>AKM 23 is the corresponding non-FT AKM.<\/p>\n\n\n\n<p><strong>13:10<br><\/strong>These checks are defined in &#8220;<em>13.5.2 Over-the-air FT protocol authentication in an RSN<\/em>&#8220;. Additionally they are mentioned in &#8220;<em>13.7.1 FT reassociation in an RSN<\/em>&#8221; for the reception of the reassociation request frame.<\/p>\n\n\n\n<p>I still have no idea how the target AP can know which cipher suite was used in the &#8220;Initial mobility domain association&#8221;. If anyone has a hint, I am eager to know!<\/p>\n\n\n\n<p><strong>14:21<br><\/strong>The calculation of the PMKR0Name is defined in &#8220;<em>12.7.1.6.3 PMK-R0<\/em>&#8220;, the calculation of PMKR1Name is defined in &#8220;<em>12.7.1.6.4 PMK-R1<\/em>&#8220;.<\/p>\n\n\n\n<p><strong>16:36<br><\/strong>Why did I mention that the Client goes to State 1 for the previous AP?<br>In a non-FT-reassociation the client can stay in State 2 with the previous AP. But in Fast BSS Transition, the Authentication frames are always needed.<\/p>\n\n\n\n<p><strong>17:20<\/strong><br>Yes, do it! \ud83d\ude09<\/p>\n\n\n\n<p><strong>17:40<br><\/strong>Just in case you think &#8220;What? How should that work?&#8221; You find all details in this WLPC TenTalk:<br><a href=\"https:\/\/youtu.be\/5jquMBdxnUU?si=JARjOl7gggi9YDmH\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/youtu.be\/5jquMBdxnUU?si=JARjOl7gggi9YDmH<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Have fun, and don&#8217;t forget to enable Fast BSS Transition (at least on your Enterprise SSID)!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This year, I was able to present at WLAN Klassentreffen (in German) and the Wireless LAN Professionals Conference (in English) on the Topic Fast BSS Transition, IEEE 802.11r. If you want to look at the references in the 802.11 standard, it&#8217;s all based on the 2020 version. This is the recorded WLPC-Video: And here is <\/p>\n<div class=\"read-more-text\"><a href=\"https:\/\/cyber-fi.net\/index.php\/2025\/11\/02\/analysis-of-a-fast-roam\/\" class=\"read-more\">continue reading<\/a><\/div>\n","protected":false},"author":2,"featured_media":5740,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[717],"tags":[757,748,715],"class_list":["post-5738","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wireless","tag-802-11r","tag-wlan-klassentreffen","tag-wlpc"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5738","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=5738"}],"version-history":[{"count":6,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5738\/revisions"}],"predecessor-version":[{"id":5755,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5738\/revisions\/5755"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media\/5740"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=5738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=5738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=5738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}