Driver Requirements for WPA2 (Compact 2013)
3/26/2014
A driver for a Wi-Fi Protected Access 2 (WPA2) device must support the object identifiers (OIDs) and other specifications described in the following sections.
Driver Requirements for WPA2
A WPA2 device driver must support the following OIDs in the 802.11x protocol.
802.11x OIDs
A WPA2 driver must support:
- OID_802_11_ADD_KEY
- OID_802_11_REMOVE_KEY
- OID_802_11_ASSOCIATION_INFORMATION
- OID_802_11_TEST
- OID_802_11_CAPABILITY
- OID_802_11_PMKID
In addition, a driver that supports WPA2 must handle the following 802.11 OIDs as indicated:
- OID_802_11_AUTHENTICATION_MODE
When this OID is queried or set, the driver must support authentication modes Ndis802_11AuthModeWPA2 and Ndis802_11AuthModeWPA2PSK for infrastructure networks.
WPA2 authentication is not supported for temporary networks. - OID_802_11_ENCRYPTION_STATUS
When this OID is queried or set, the driver must support encryption mode Encryption3. - OID_802_11_BSSID_LIST
In response to a query of this OID, the driver must return the NDIS_802_11_BSSID_LIST_EX structure. In particular, the driver must return the Robust Secure Network (RSN) information element (IE) from the beacon or probe response. The RSN IE is needed by the 802.1x supplicant during the WPA2 authentication. - OID_802_11_STATISTICS
In response to a query of this OID, the driver must return Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) statistics.
Other Requirements
A driver that supports WPA2 must also meet the following specifications:
- The driver must support the cipher suites for encryption mode Encryption3 (Wired Equivalent Privacy (WEP), TKIP, and AES). The device must be able to support different cipher suites for unicast and multicast/broadcast packets.
- The device must support Michael Message Integrity Checks (MIC) with TKIP. On detecting a Michael integrity check failure, the driver must make an authentication indication. The driver does this by calling NdisMIndicateStatus with the GeneralStatus parameter set to NDIS_STATUS_MEDIA_SPECIFIC_INDICATION and the StatusType parameter set to Ndis802_11StatusType_Authentication.
- The device must support TKIP countermeasures. For more information, see Receiving 802.11 Packets.
- The driver must support WPA2 pre-authentication. The driver must advertise this support when responding to a query of OID_802_11_CAPABILITY. WPA2 pre-authentication is only used for the Ndis802_11AuthModeWPA2 authentication mode.
The driver must also support PMKID candidate list indications. - 802.1x Extensible Authentication Protocol (EAP) packets are sent unencrypted until a pairwise key is installed.
- Non-802.1x EAP packets are not sent until a group key is installed.