Working in a large healthcare organization presents itself with a wide array of client issues. One issue that has been a challenge for my team has been trying to figure out exactly what the capabilities of problematic clients are. This turned out to be very challenging for us. It typically involved asking the vendor for documentation on their products and hoping it gave us exact wireless capabilities. Furthermore, those capabilities could change depending on the firmware/driver versions of the NIC. We are able to look up certain client capabilities on Mike Albano’s (@mike_albano) site, clients.mikealbano.com, but we have many more clients than are listed on his site.
If you would like to contribute but don’t want to expose any kind of sensitive data, Mike also has a randomizer (randomizer.mikealbano.com) that takes your pcap and randomizes the client MAC address, ESSID, and BSSID information found inside it. I hope to start contributing randomized pcaps as I come across them.
Anyways, let’s look at how to find a client’s capabilities ourselves.
|Does the client support:||Tag Location|
|Data Rates||Tag: Supported Rates|
|Tx Power Min/Max||Tag: Power Capability|
|Channels||Tag: Supported Channels|
|Security Information||Tag: RSN Information|
|802.11k (Neighbor Report)||TAG: RM Capabilities|
|802.11r (FT)||TAG: RSN Information & Mobility Domain|
|802.11v (WNM/BSS)||TAG: Extended Capabilities|
|802.11n||TAG: HT Capabilities|
|802.11ac||TAG: VHT Capabilities|
|802.11ax||TAG: HE Capabilities|
Nearly all of the info you can hope to find about a particular client can be found in the Association Request frame from the client to the AP. Under IEEE 802.11 Wireless Management, expand the Tagged Parameters information element (IE).
Some of the Tagged Parameters of note here are:
- Supported Data Rates
- Power Capabilities
- Supported Channels
- RSN Information
- RM Capabilities
- Mobility Domain
- HT Capabilities
- Extended Capabilities
- VHT Capabilities
- HE Capabilities
- Operating Mode Notification
- Vendor Specific Tags
Below we will take a look at each of these to see what kind of client capability info we can pull out of them.
Supported Data Rates
Under the Supported Rates tag, the client is telling the AP the data rates it is capable of. NOTE: this is not an exhaustive list. The client will only include the data rates it supports based on the data rates the AP is advertising for a particular BSSID in the beacon frames. The client may support other data rates that are not advertised in the beacon frame, but will only respond with data rates that match.
If you see a data rate with a (B) after it, that means those rates are set as the mandatory data rates in the WLC. The client HAS to support the rates marked (B) in order to connect to the BSSID, the other rates are optional.
Knowing your clients’ Tx capabilities is exremely vital. Tx power mismatch can lead to stranded clients and excessive retries, needlessly congesting your precious airtime. This is due to the client being able to hear the incoming frames from the AP, but the AP isn’t able to receive the ACKs from the client. That AP then thinks its frames were not received and sends a retry.
Client min and max Tx power can be found in the Power Capability IE.
For more info on client to AP power mismatches, check out CWNA-107 Chapter 15 “WLAN Troubleshooting.”
I can’t count the amount of times my team has troubleshot client issues just to find out the client was configured for just a subset of the 5GHz channels. This typically involves hours of data gathering and troubleshooting before the wireless engineers are able to start noticing the client may not be scanning all the wifi channels around them, leading to perceived dead spots in the wifi coverage. If you know your environments channel plan, a quick look at the Supported Channels IE could save you a lot of troubleshooting time.
FULL DISCLOSURE! I’m not 100% sure this is how the process works. I *think* this is covered in the CWSP, which I will be studying after the CWAP. If I got it totally wrong, PLEASE let me know so I can learn.
I believe the information that is provided by the client in the RSN Information IE was chosen based on what the client saw in the AP broadcast (or beacon) frames. The broadcast frames contain the different security types that certain BSSID supports. It’s not until the sub-IE RSN Capabilities where the client outlines the different security methods it’s capable of.
In the AKM Suite Selector, you can also see if this client is capable of 802.11r (Fast BSS Transition or FT).
RM (Radio measurement) Enabled Capabilities
802.11k (Neighbor Report) live in the RM Capabilities. I’m not going to go into detail on this. Instead, here’s a link to Rasika’s 802.11k blog post.
Besides the RSN IE, the Mobility Domain IE will show us if the client is capable of 802.11r (Fast BSS Transition or FT). In this IE, we can see there is a Mobility Domain Identifier as well as a Fast BSS Transition over DS.
The Mobility Domain Identifier identifies the WLC Mobility Domain to share the FT keys with. All APs with the same Mobility Domain Identifier (designated by the WLC) will have the FT keys shared with them. The Fast BSS Transition over DS value of 0x0 indicates FT over the DS, a value of 0x1 indicates FT over the air.
802.11n (HT) brought a slew of new capabilities to wifi. OFDM, MIMO, power save, channel aggregation, frame aggregation, etc. All of those capabilities introduced in 802.11n are found in the HT Capabilities Info IE.
802.11ac (VHT) brought another chunk of upgrades with it over 802.11n. Most notably, 80/160MHz channels, MU-MIMO, more Spacial Streams (up to 8), Beamforming, higher modulation rates (256-QAM), and higher MCS indices (8 & 9). Client support for 802.11ac can all be found in the VHT Capabilities Info IE. If this is not present in your client association request, it means your client isn’t 802.11ac capable.
More honesty here. It’s been very recently that my organization started getting 802.11ax capable devices. I’m not super familiar with everything that came along with 802.11ax, but based on the HE Capabilities IE, it’s a TON of new stuff. I’m not going to try and do a recap of Wifi6 here, just know that all the client capabilities will be under the HE Capabilities IE. If this is not present in your client association request, it means your client isn’t 802.11ax capable.
For a better understanding of Wifi6, check out this post by ExtremeNetworks
I’m sure there are more I’ve missed, so if I have left anything out or need to revise any of this, please let me know. I’m doing this to both help reinforce my CWAP studies and to hopefully help others absorb this information.