Driver Requirements for WPA2

A driver that supports WPA2 must support the following 802.11 OIDs:

• OID_802_11_ADD_KEY

• OID_802_11_REMOVE_KEY

• OID_802_11_ASSOCIATION_INFORMATION

• OID_802_11_TEST

• OID_802_11_CAPABILITY

• OID_802_11_PMKID

In addition, a driver that supports WPA2 must handle the following 802.11 OIDs as indicated:

• OID_802_11_AUTHENTICATION_MODE

  When this OID is queried or set, the driver must support authentication modes Ndis802_11AuthModeWPA2 and Ndis802_11AuthModeWPA2PSK for infrastructure networks.

  WPA2 authentication is not supported for ad hoc networks.

• OID_802_11_ENCRYPTION_STATUS

  When this OID is queried or set, the driver must support encryption mode Encryption3.

• OID_802_11_BSSID_LIST

  In response to a query of this OID, the driver must return the NDIS_802_11_BSSID_LIST_EX structure. In particular, the driver must return the Robust Secure Network (RSN) IE from the beacon or probe response. The RSN IE is needed by the 802.1X supplicant during the WPA2 authentication.

• OID_802_11_STATISTICS

  In response to a query of this OID, the driver must return TKIP and AES statistics.

A driver that supports WPA2 must also do the following:

• The driver must support the cipher suites for encryption mode Encryption3 (WEP, TKIP, and AES). The device must be able to support different cipher suites for unicast and multicast/broadcast packets.

• The device must support Michael integrity checks with TKIP. On detecting a Michael integrity check failure, the driver must make an authentication indication. The driver does this by calling NdisMIndicateStatus with the GeneralStatus parameter set to NDIS_STATUS_MEDIA_SPECIFIC_INDICATION and the StatusType parameter set to Ndis802_11StatusType_Authentication.

• The device must support TKIP countermeasures. For more information, see Receiving 802.11 Packets.

• The driver must support WPA2 pre-authentication. The driver must advertise this support when responding to a query of OID_802_11_CAPABILITY. WPA2 pre-authentication is only used for the Ndis802_11AuthModeWPA2 authentication mode.

  The driver must also support PMKID candidate list indications.

• 802.1X EAPOL packets are sent unencrypted until a pairwise key is installed.

• Non-802.1X EAPOL packets are not sent until a group key is installed.

Send comments about this topic to Microsoft