In 802.11 standards, the connection procedure includes three major steps that shall be performed to make the device part of the Wi-Fi network and communicate in the network. Those three steps are device discovery (scanning), device authentication (checking compatibility-capability etc. before connection) and then finally establishment of connection (Association). Going forward, this post provides details for each step. The message exchange in connection procedure is shown below.

 

Figure 1. Connection Process in open system

 

Figure 2. Messages exchange in Connection Process

 

Figure 2 shows Wi-Fi sniffer log for messages exchange procedure between Client and AP device at the time of connection, here Client device is Xiaomi and AP is Marvell device.

 

Connection Setup Process

1. Scanning

To join any network first client or station needs to find it the network. In the wired network, just plugging the cable or jack will find the network. In the wireless world, this requires identification of the compatible network before joining process can begin. This identification process of the network is referred as scanning.
Several parameters are needed in the scanning process. These parameters are BSSType, BSSID, channel list, scantype, MinChannelTime and MaxChannelTime. The parameters are set as default depending upon manufacturer Wi-Fi driver, but it can be modified by the user i.e. if the requirement is for hidden network then we can set scantype parameter as passive scan because the active scan is not useful for the hidden network (networks that do not broadcast their SSID).
There are two scanning methods, passive scanning and active scanning.
By default, radios perform both the types of scanning on all the channels allowed by the country of operation.  While both the types of scanning are available by default, active scanning is performed only by those channels that are allowed to transmit by regional government regulations. Channels that are not authorized for unlicensed use are excluded from active scanning.

• Passive scan: In Passive Scanning, WLAN station moves to each channel as per the channel list and waits for beacon frames. Beacon frames are used by the access points (and stations in an IBSS) to communicate or to announce themselves.
  The access point tries to send the beacon at defined interval that is called Target Beacon Transmission Time (TBTT)
  Nevertheless, access points are just like the any wireless device in the cell. They cannot send if the network is busy. When the time comes for an AP to send a beacon & the network is busy, the AP will delay its beacon transmission until it can gain access to the media.
  In 802.11, network is busy or not can be checked using CSMA/CA protocol. In CSMA/CA when a frame is ready, the transmitting device checks whether the channel is idle or busy to avoid the collision. If the channel is busy the transmitting device will wait for random duration and check again whether the channel is idle or not. If channel is idle it will send the frame. The Beacon frame structure is as shown below.

 

Figure 3. Beacon Frame

 

Description of mandatory field of a Beacon Frame.

1. Timestamp: After receiving the beacon frame, all the stations update their local clocks with this timestamp. This helps with synchronization.
2. Beacon Interval: Represents the number of Time Units (TUs) between Target Beacon Transmission Times (TBTT). Default value is 100TU (102.4 milliseconds).
3. Capability information: It contains information about capability of the device/network
4. SSID: It contains Service set ID of the network.
5. Supported rates: This field contains information of supported data rates by the access point.

Notice that this information is not only used by potential clients during passive scanning but also by clients that are already associated to the BSS.

A passive scan generally takes more time, since the client must listen and wait for a beacon versus actively probing to find an AP. Another limitation with a passive scan is that if the client does not wait long enough on a channel, then the client may miss an AP beacon.

 

• Active scan: Discovering the network by scanning all possible channels and listening to beacons is not considered to be very efficient. To enhance this discovery process, stations often use what is called active scanning.

In the active scanning mode, stations still go through each channel in turn, but instead of passively listening to the signals from AP, stations send a probe request management frame aimed at asking what network is available on this channel. If any AP or active station in an IBSS is presenting that frequency, they should answer with the probe response frame.

 

Figure 4. Scanning Methods

 

Once the probe request is sent by the emitting station, it starts a Probe Timer countdown and waits for answers. This Probe Timer value is usually a lot shorter than a beacon interval. Common values are in the 10-millisecond range. At the end of the timer, the station processes the answers it has received. If no answer was received, the station moves to the next channel (on different frequency) and repeats the same discovery process.

The purpose of a probe request is typically to discover APs and their supported networks (SSIDs and/or BSSIDs).

 

Figure 5. Probe Request/Response Frame

 

This frame contains mainly two fields, the SSID and the rates supported by the mobile station. Stations that receive Probe Request use the information to determine whether the requesting station can join the network.
The Probe Response frame fields are very similar to Beacon frame fields that enable mobile stations to match parameters and join the network.

 

2. Authentication

After having performed a network discovery through the probe request/probe response exchange or by listening to beacons, a station wanting to join a network goes through an authentication process, exchanging authentication frames with the access point. On reception of the authentication frame, AP sends acknowledgement and then Authentication Response.

The initial purpose of the ‘authentication’ frames to validate the device type, in other words, verify that the requesting station has proper 802.11 capabilities to join the network.
Open system authentication: Information related to capabilities are exchanged between station and AP using Authentication Request. If request is accepted, AP sends “success” in Authentication Response.

Shared key authentication: IEEE 802.11-1997 standard included a WEP shared key exchange authentication mechanism Called “Shared Key”. This shared key exchange adds two more frames to the default Open System authentication, resulting in a four-frame exchange. This latter method is called Shared Key authentication, requires the use of WEP encryption, and is not widely used (and not recommended) today.
First phase of authentication is described above but when WPA or WPA2 is used then second phase of authentication (i.e. 4-way handshaking process) takes place after the device gets associated.

The details regarding Open System authentication and Shared-Key authentication is available in 802.11 security post <Link TBD>.

 

Figure 6. Authentication frame

 

As shown above, the Authentication Frame consist of the following fields.

1. Authentication Algorithm Number: 0 for Open System & 1 for Shared Key.
2. Authentication Transaction Sequence Number: Indicate current state of progress.
3. Status Code: 0 for Success & 1for Unspecified failures.
4. Challenge Text: Used in Shared Key Authentication frame.

 

3. Association

If the 802.11 authentication phase completes with a Success result, the station moves to the Association phase. The purpose of this exchange is for the station to join the network and obtain an Association ID [AID].

• Association request: The first frame sent in the association phase is from the requesting station to the AP (or a station in an IBSS). This frame is the association request frame and the response of this frame is association response frame.
  Association request is unicast management frame and is always acknowledged.

 

Figure 7. Association Request

 

• Association response: Once the Association request is acknowledged, the AP examine each field of the request & verify they all match its own 802.11 parameters (refer Figure 6). In case of parameter mismatch, AP checks whether the difference is a blocking or not and based on that AP sends authentication response.
  -    If the parameter difference is blocking, then response with status code 1 will be sent (to reject the association).
  -    In case of non-blocking difference/No difference in the parameters, response with status code 0(success) and AP’s own parameters will be sent to the requesting station. Station must be compatible with the AP’s capability otherwise it will drop the association process and start looking for another AP.

 

Figure 8. Association Response

 

Connection Teardown

• Disassociation: Once a station is associated to an AP, either side can terminate the association at any time by sending a disassociation frame.
  • A station can send Disassociation frame before leaving the current network to roam/join another AP.
  • An AP can send this frame in multiple cases like, if the station tries to use invalid parameters, AP itself under configuration change, hackers attack, etc.

The disassociation frame (DA) can be the unicast MAC address of the station to disassociate or a broadcast address if the AP needs to disassociate all the stations in its network. In case of unicast frame, the frame will get acknowledge by receiving station and the broadcast frames are not acknowledged.

 

Figure 9. Disassociation Frame

The Disassociation frame is quite small. It contains only one field “Reason code”.

A disassociated station is still authenticated. It can try to re-associate by sending a new Association request frame, keeping its authenticated status. A station roaming to another cell may also choose to use a disassociation frame, to be able to keep its authenticated status and accelerate the process when roaming back to the same cell before its authentication timeout expires.

 

Figure 10. Disassociation Frame Exchange

 

This frame is also used when parameters change and the station or the AP needs to renegotiate the communications parameters.

 

• De-authentication: The station or AP can also send a de-authentication frame. This frame is used when all communications are terminated, for example, because the AP has to reboot or because the station stops its Wi-Fi communications.
  It is also used when a frame is received before authentication has completed. For example, a station trying to send an association request or a data frame before having performed the authentication sequence then station will receive a Deauthentication frame from the AP, indicating that authentication must be performed first. The frame format is same as disassociation frame.

 

Figure 11. Deauthentication Frame Exchange

 

Roaming

Roaming, in the context of an 802.11 wireless network, is the process of a client moving an established Wi-Fi network association from one access point to another access point within the same Extended Service Set (ESS) without losing connection (e.g. within a defined time interval, usually in the range of a few seconds). The roaming time should be smaller for the better performance.

In the roaming process, the mobile device will send the disassociation frame to the previously associated Access Point (AP), and will start re-association process by exchanging 802.11 frames with another access point to which the device wants to connect. The client device scans the another AP then exchange authentication frames after that it will send re-association request, here instead of association re-association request is used and the first 2 steps of connection process remains the same.

 

Figure 12. Message Exchange in Roaming Process

 

 
Figure 13. Roaming representation

 

Wi-Fi APIs used in Connection and Disconnection process

Table below shows some of the available APIs in NXP i.MX RT SDK for connection and disconnection process.

 

Table 1. APIs Available in SDK

API	Description	Can be called from
wifi_send_scan_cmd	Used for scanning the available network. It supports only single SSID based scan. We can extend this to a list of multiple SSIDs.	Station and AP
wlan_add_network	Add specific network profile to the list of known networks.	Station and AP
wlan_remove_network	Remove specific network profile from the list of known networks.	Station and AP
wlan_connect	Connect with specific network (AP).	Station
wlan_disconnect	Disconnect the station from network (AP).	Station
wlan_start_network	Start specific network.	AP
wlan_stop_network	Stop specific network.	AP

 

For more details on such APIs refer the document “MCUXpresso_SDK_WLAN_Driver_Reference_Manual.pdf” available at location <SDK Documentation>/docs/wifi.