Now look at the state diagram of an STA. The state diagram in Figure 4-7 defines the states of STA with respect to a wireless medium in an ESS.
The state transitions occur based on the outcome of the WLAN services. The STA/client starts out in an unauthenticated, unassociated state. The first step is to authenticate utilizing the authentication service; the authentication steps needed depend on the authentication requirements of the APs and DS. Perhaps open authentication is sufficient, or perhaps 802.11i authentication is required. A successful authentication transitions the STA to state 2. The next step is to associate, and a successful association transitions the STA to fully functional. The state transitions also happen through the deauthentication, disassociation, and reassociation services.
Note that the deauthentication and disassociation services are notifications; as discussed previously, a notification cannot be denied. Therefore, after an STA sends or receives these messages, the state transition is automatic.
The authentication process, of course, is based on the type of authentication, the policies in place for the APs, and the back-end network (for example, DS). Similarly, the association process can be based on capabilities including QoS, throughput, and load. The authentication, association, and disassociation requests can be denied; hence, the messages that are associated with these processes require the successful result from these services to transition the state.
Another important point to note is about the frames permitted at each state. Each state has associated frames that can be exchanged. The class 1 frames include essential communication frames, probe, beacon, authentication, and deauthentication. Class 2 frames include association, disassociation, and reassociation frames. Class 3 includes all data frames. Figure 4-7 shows which frames are allowed at each state.
Note the following points:
The importance of the "authentication" frames pertains only to 802.11, and the frames are pre-802.1x authentication.
You should note the lack of state or acknowledgement of these frames. This information might be relevant to protocol-based security discussions.
The frames that aren't allowed are blocked.
Because authentication takes a relatively long time, optimizations are sought out in which either authentication information is cached in such a way that different APs can access it, or one-time authentication is done with multiple APs. This way, a client can roam between APs by changing the association and without requiring authentication.