1
00:00:00,120 --> 00:00:01,020
In this lesson,

2
00:00:01,020 --> 00:00:03,060
we're going to discuss disassociation issues

3
00:00:03,060 --> 00:00:04,740
within our wireless networks.

4
00:00:04,740 --> 00:00:05,820
There's a lot of reasons

5
00:00:05,820 --> 00:00:07,410
that a client would be disassociated from a

6
00:00:07,410 --> 00:00:08,760
wireless access point.

7
00:00:08,760 --> 00:00:11,490
This includes an idle timeout, a session timeout,

8
00:00:11,490 --> 00:00:14,070
wireless network changes, manual deletion,

9
00:00:14,070 --> 00:00:17,430
authentication timeouts, or access point radio resets.

10
00:00:17,430 --> 00:00:20,070
Now, a client dissociation due to an idle timeout

11
00:00:20,070 --> 00:00:22,470
is going to occur whenever a wireless client doesn't send

12
00:00:22,470 --> 00:00:24,990
or receive traffic within 300 seconds,

13
00:00:24,990 --> 00:00:26,430
which is five minutes.

14
00:00:26,430 --> 00:00:29,130
This is the default setting on most wireless access points,

15
00:00:29,130 --> 00:00:31,080
and it's used to free up the network for other clients

16
00:00:31,080 --> 00:00:31,980
to join,

17
00:00:31,980 --> 00:00:33,270
To prevent this from occurring,

18
00:00:33,270 --> 00:00:35,640
some wireless client implementations will send out a

19
00:00:35,640 --> 00:00:37,770
keep alive packet every few minutes

20
00:00:37,770 --> 00:00:39,240
so they can remain connected the entire

21
00:00:39,240 --> 00:00:40,950
time to that wireless network.

22
00:00:40,950 --> 00:00:42,990
Now, a client association can also occur due

23
00:00:42,990 --> 00:00:44,940
to a session timeout, and this will happen

24
00:00:44,940 --> 00:00:46,860
after 1800 seconds.

25
00:00:46,860 --> 00:00:49,440
At this point, the wireless client should reconduct an

26
00:00:49,440 --> 00:00:51,450
authentication again and reestablish their

27
00:00:51,450 --> 00:00:52,950
connection automatically.

28
00:00:52,950 --> 00:00:54,150
This, again, is something that's handled

29
00:00:54,150 --> 00:00:56,820
by your wireless client automatically on your behalf in

30
00:00:56,820 --> 00:00:59,310
coordination with the wireless access point.

31
00:00:59,310 --> 00:01:01,650
Next, we have client associations that occur due

32
00:01:01,650 --> 00:01:03,810
to wireless network changes, and this occurs

33
00:01:03,810 --> 00:01:06,510
whenever the wireless local area network is being changed,

34
00:01:06,510 --> 00:01:09,270
and this change causes the wireless network to be disabled

35
00:01:09,270 --> 00:01:11,040
and then re-enable itself.

36
00:01:11,040 --> 00:01:13,620
For example, if you're going to change the shared passphrase

37
00:01:13,620 --> 00:01:16,110
that secures the network, it's going to reboot the wireless

38
00:01:16,110 --> 00:01:17,790
network and force every device

39
00:01:17,790 --> 00:01:19,770
to reconnect and re-authenticate.

40
00:01:19,770 --> 00:01:20,910
This makes a lot of sense

41
00:01:20,910 --> 00:01:22,170
because we want to make sure they all have the

42
00:01:22,170 --> 00:01:23,880
right password again, right?

43
00:01:23,880 --> 00:01:26,220
Another client association we can have is caused

44
00:01:26,220 --> 00:01:28,140
by manual deletion, and this occurs

45
00:01:28,140 --> 00:01:30,780
whenever a wireless client is removed by an administrator.

46
00:01:30,780 --> 00:01:33,210
This makes sense because if I kick your client off my

47
00:01:33,210 --> 00:01:35,310
network, that means I want you to be dissociated

48
00:01:35,310 --> 00:01:38,430
and removed, and then you'd have to reconnect again.

49
00:01:38,430 --> 00:01:41,010
Now, another way that client associations occur is due

50
00:01:41,010 --> 00:01:43,230
to authentication timeouts, and this occurs

51
00:01:43,230 --> 00:01:45,690
whenever the authentication or key exchange process

52
00:01:45,690 --> 00:01:47,610
fails to finish in a given time.

53
00:01:47,610 --> 00:01:50,160
When this occurs, the wireless client is disassociated from

54
00:01:50,160 --> 00:01:51,300
the access point and needs

55
00:01:51,300 --> 00:01:54,120
to restart the authentication process all over again

56
00:01:54,120 --> 00:01:55,920
to regain access.

57
00:01:55,920 --> 00:01:58,500
Another time you'll find client associations occurring is

58
00:01:58,500 --> 00:02:00,630
when your access point radio is reset.

59
00:02:00,630 --> 00:02:02,280
And this is similar to the change that we made

60
00:02:02,280 --> 00:02:03,690
with the wireless network.

61
00:02:03,690 --> 00:02:05,700
All of our clients are going to be disassociated,

62
00:02:05,700 --> 00:02:07,650
the radio's going to be turned off and turned on

63
00:02:07,650 --> 00:02:10,259
to cause that reset, and then the clients can begin their

64
00:02:10,259 --> 00:02:12,300
association process once more.

65
00:02:12,300 --> 00:02:13,530
Now, why is it important

66
00:02:13,530 --> 00:02:16,680
to understand all these times when disassociation happens?

67
00:02:16,680 --> 00:02:19,500
Well, because sometimes your clients can be disassociated

68
00:02:19,500 --> 00:02:21,300
as part of a de-authentication attack,

69
00:02:21,300 --> 00:02:23,790
and not for one of these real legitimate reasons.

70
00:02:23,790 --> 00:02:26,490
This is a common wireless attack that is used by hackers

71
00:02:26,490 --> 00:02:28,590
to disassociate your wireless clients

72
00:02:28,590 --> 00:02:31,080
and make them attempt to reconnect to the access point.

73
00:02:31,080 --> 00:02:33,330
Now, when this occurs, the attacker is going to attempt

74
00:02:33,330 --> 00:02:35,460
to capture the packets used in the association

75
00:02:35,460 --> 00:02:36,990
and authentication processes,

76
00:02:36,990 --> 00:02:39,660
and then they'll try to crack that shared passphrase

77
00:02:39,660 --> 00:02:42,000
to gain access to the network indefinitely.

78
00:02:42,000 --> 00:02:43,530
So if you see a client

79
00:02:43,530 --> 00:02:45,480
that's continually being de-authenticated,

80
00:02:45,480 --> 00:02:47,310
you need to check your wireless gateways

81
00:02:47,310 --> 00:02:48,690
and your wireless controller logs

82
00:02:48,690 --> 00:02:50,310
to determine the root cause.

83
00:02:50,310 --> 00:02:52,380
It could be one of the ones I just mentioned above,

84
00:02:52,380 --> 00:02:54,570
and all of those are normal and expected,

85
00:02:54,570 --> 00:02:56,550
but if it's not one of those, it could be caused

86
00:02:56,550 --> 00:02:58,080
by an attacker, and that's something you need

87
00:02:58,080 --> 00:02:59,253
to investigate further.