4.5.4.3 Deauthentication
reference – 802.11-2016 – page 223
The deauthentication service is invoked when an existing Open System, Shared Key, or SAE authenticationis to be terminated. Deauthentication is an SS. In an ESS, because authentication is a prerequisite for association, the act of deauthentication causes the STA to be disassociated. The deauthentication service can be invoked by either authenticated party (non-AP STA or AP). Deauthentication is not a request; it is a notification. The association at the transmitting STA is terminated when the STA sends a deauthentication notice to an associated STA.
Deauthentication, and if associated, disassociation cannot be refused by the receiving STA except when management frame protection is negotiated and the message integrity check fails.
In an RSN ESS, Open System IEEE 802.11 authentication is required. In an RSN ESS, deauthentication results in termination of any association for the deauthenticated STA. It also results in the IEEE 802.1X
Controlled Port for that STA being disabled and deletes the pairwise transient key security association (PTKSA). The deauthentication notification is provided to IEEE Std 802.1X-2010 via the MAC layer.
Deauth Frame
When troubling shooting deauth issues it is important to look at the reason code. The reason code is an indicator to a possible issue. In the capture above Kali linux was used to generate a deauth attack targeting a single clinet. Deauth attacks can be considered as a denial of service attack (DoS) and can be mitigated using management frame protection. A summary of MFP can be found here and here…
An attacked can be carried out targeting a single host or the entire cell. The capture below shows the difference.
Target a single client
Target the entire cell
An attacker can use a deauth attack to gather the EAPOL 4-way handshake which can be used offline in attempt to obtain a “weak” preshared key
