Wi-Fi Roaming on a Fortinet Single Channel Architecture(SCA)

Successful Wi-Fi client Roaming is moving across Access point / BSSID  to a best possible service AP for the wireless client in term’s of SNR and RSSI while with least time involved in the process and with zero Hard hand off seen.

Faster Roaming is considered key for VoIP over Wi-Fi and for other application that is running over Wi-Fi Network which is very sensitive for latency and delay.

Wireless Vendor’s do have protocol implementations to deal these roaming problems with : PMK caching, OKC, FAST ROAMING 802.11 K/V/R

However Fortinet Infrastructure Wi-Fi being unique with single BSSID virtually visible across the network and roaming seems to be quite simple, but they still have to calculate the math to solve the roaming issue with their software.

I want to stress on this point: Yes, FortiWLC does  support both Single channel Architecture and Multi channel Architecture mode and you can take advantage of this with the help of feature grouping. So you can deploy sites some with single channel and other sites which you feel from Design point that it’s optimal to go with Multi channel architecture. So take some advantage of the SCA where it can really go well for you.

Ok, So how does SCA works together for client roaming?

Like other MCA vendors Fortinet Wi-Fi system also has the following tweaks and operations that will help you to build a system optimal for Good roaming (choice of which parameter really depends on wi-fi environment).

*Prob response threshold(This is based on SNR)

*Lower data rate changes

*TX power changes.

*Prob response from associated AP only.

*AP load balancing

*Frequency Band-steering

Apart from the settings mentioned above there are some  major factors that contribute SCA roaming :  

*Adequate RSSI

*NumRssiSamplesQuiet

*NewSignalGoodnessQuiet

*SuppressZeroRssiBasedHandoff

2 frame report with 3 dbm difference on RSSI strength   [ This is Interval between each frame report and its RSSI difference]

Coordinator  [wi-fi system which takes in-charge of  AP<->CLIENT association and here coordinator gives client assignment to the best access point to service the client based on the condition and threshold set]

coordinator reassignment and AP acknowledgment for that assignment.

silent client behavior and WLC features to handle such client behaviors.

Below are some client roaming behavior on different roaming condition.

#Normal system hand off based on adequate rssi(better signal strength).

2017-Sep-29 14:51:56.611901 | 78:31:c1:Xx:Xx:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=6> RSSI (-56 -55) <NEW_AP=13> RSSI (-52 -43) ESSID=XXXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff

#System Hand off based on  -256  frame report:

This condition of seeing -256 frame report and followed by normal handoff means that the station is found on different service AP while before the last serviced AP could flag the client as LOST.

station-log> 2017-Sep-29 15:44:55.069959 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=13> RSSI (-256 -256) <NEW_AP=6> RSSI (-55 -55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff

#System LOST-FOUND on same Access point(-256):

When the wireless client is marked LOST on the connected Access point and not found on any other servicing Access point. And the client shows up(FOUND) again on the same access point after been marked as LOST.

–>Sample Station log:

If no other UNASSIGNED AP have marked it QUASI FOUND
01:40:30.503000 | 7c:7a:91:XX:XX:XX | 802.11 State | <AID=6>[abgn](pre lost) found on assigned <AP=97>(rssi=-256) ESSID=XXXX Ch=44 A-BSSID=00:0c:e6:5a:1b:44 reason=Station discovered

#System Hand off based on LOST-FOUND(station is declared as LOST but found on different servicing AP)

Here station is completely lost on the connected AP, while it probed on a different Access point resulting on a hand off.

–>Sample station log :

2017-Sep-29 15:44:53.507727 | 78:31:c1:XX:XX:XX| 802.11 State | * <AID=31>[abgn](v0) (pre found) lost from assigned <AP=13> ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Station lost from AP
station-log> 2017-Sep-29 15:44:55.069956 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) (pre lost) quasi found on unassigned <AP=6>(rssi=-55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Station probed
station-log> 2017-Sep-29 15:44:55.069959 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=13> RSSI (-256 -256) <NEW_AP=6> RSSI (-55 -55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff

 

->>The below log indicates that the station is now handed-off to new access point and the access point ack’ed the “coordinator” that he is going to take over the client service.
station-log> 2017-Sep-29 15:44:55.070826 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) (pre quasi found) marked found as received handoff ack from assigned <AP=6> ESSID=wireless-nation Ch=149 A-BSSID=00:0c:e6:02:67:70

 

#Wireless Client Assoc-Assoc .

This is a problem condition in SCA where the wi-fi station does a re-association to the access point but to the wireless system already know him as a associated client in his DB.

The client does this thinking  it needs a re-association to the wireless network because he hasn’t heard any beacon for some time interval or could be because beacons are found to be corrupted while decoding or client didn’t like the frames sent by Access point(Have seen such behavior mostly with INTEL chip-set based clients). This needs a investigation if these log show up on system and matches the time frame user reporting any connectivity issues.

This  condition could cause client going through authentications phase again and/or even disconnections (8021.x and 802.11i  happens every time when hits Assoc to Assoc)

–>Sample events for Assoc-Assoc situation:
station-log> 2017-Sep-29 15:44:59.257873 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) state change <old=Associated><new=Associated><AP[6]=00:0c:e6:1a:34:11> ESSID=XXXX Ch=149 A-<BSSID=00:0c:e6:02:67:70>
station-log> 2017-Sep-29 15:44:59.257877 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) state change <old=Associated> <new=Associated> <AP=6> ESSID=XXXX Ch=149 A-<BSSID=00:0c:e6:02:67:70>
station-log> 2017-Sep-29 15:44:59.258432 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=0> <EAP code=request> <EAP ID=1> <EAP type=Identity> sent
station-log> 2017-Sep-29 15:44:59.290511 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=1>
station-log> 2017-Sep-29 15:44:59.290514 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius <msg code=access_request><msg ID=174> sent <ip=10.16.70.40>:<port=1812>
station-log> 2017-Sep-29 15:44:59.299477 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2> <info=relay eap-request from Radius> sent

station-log> 2017-Sep-29 15:44:59.572152 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=9>
station-log> 2017-Sep-29 15:44:59.572156 | 78:31:c1:XX:XX:XX | 1X Authentication |
station-log> 2017-Sep-29 15:44:59.645547 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=12>
station-log> 2017-Sep-29 15:44:59.646297 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius <msg code=access_request><msg ID=189> sent <ip=10.16.70.40>:<port=1812>
station-log> 2017-Sep-29 15:44:59.647948 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius ACCESS-ACCEPT received : Session Timeout: None, VLAN Tag : 0, Filter id : , CUI : None.

 

Advertisements

How does Fortinet SCA Wi-Fi Network manages Silent Client issues

Small Wi-Fi devices, Bar-code scanners and other IOT devices does go for doze state very often to save power. Every Wi-Fi vendor will have some kind of implementations to get attention of those Wi-Fi Client that tend to go silent often.

Traditionally Meru Wi-Fi system have a feature called CLIENT LOCATOR. While after adding the client devices MAC-OUI on the WI-FI System it keeps sending ICMP request and gets an ICMP reply  from those silent clients, by this way the clients connection is kept active. Also Wi-Fi system sends out Qos Null frame in earlier days for those Silent clients.

Now in recent Fortinet Infrastructure based AP models there are certain client upstream and downstream silent client feature implemented.

#DOWNSTREAM :

For Active Clients (If Wi-Fi client hasn’t informed about going for a power save but remains silent):

Scenario_1:

> If the client is silent for more than 2 seconds, silent client polling kicks in from AP every  2 seconds.

                                              AP                                                                             STA
                                          
                                                           No upstream packet from STA
                                                              (Start RTS mechanism)
                                                  RTS->
                                                                                                                  <-  CTS
                                                  CFE->

 

Scenario_2:

> Consider, if no reply from the silent client then the AP tried to send the RTS for 8 – 30 seconds and gives up. Then the AP will update the “coordinator” about the client is been lost now.

station log will look like this:

| 802.11 State | * <AID=31>[abgn](v0) (pre found) lost from assigned <AP=13> ESSID=***** Ch=149 A-BSSID=***** reason=Station lost from AP

>So, Once station is declared lost, TIM bit is enabled in the beacon.

>And if station is back on network, then a found notification will be send. If not found then the system will run the station ideal time out for 33 min(default) and will send out a De-auth.

 

                                       AP                                                                                    STA
                                          
                                                    No upstream packet from STA
                                                              
                                             RTS 1–>
                                                     |2secs|         
                        
                                             RTS 2–>
                                                                                   ..
                                                                                   ..
                                            RTS 8–>
                                                                   Station lost message
                                            TIM bit set in Beacon–>
                                                              After 33minutes TIM bit cleared

#UPSTREAM: 

Power Save Clients (Client informed going for power save)

scenario_1:

>Again if client is silent for 2 sec, silent client polling kicks in from AP every 2 sec.

> Silent client polling starts by AP setting TIM vector in beacons.

> However, TIM bit is still set in the beacons for 33 minutes and if no response from client then  later TIM bit is reset and De-auth will be sent out.

                                              AP                                                                              STA
                                          
                                                                 No upstream packet from STA
                                                    Beacon (TIM bit set)–>

                                                

                                                                           (After 33minutes)
                                                   Beacon (TIM bit reset)–>
 
  Scenario_2:

>Silent client polling starts by AP setting TIM vector in beacons and stations sends PS-   POLL frame to AP, AP in turn sends QOS NULL data.

                                              AP                                                                               STA
                                               
                                                                 No upstream packet from STA
                                                      
                                                       Beacon (TIM bit set)–>
                                                                                                                   <–PS-Poll 
                   
                                                       ACK–>
                                                       QOS Null Data–>
                                                                                                                   <–ACK

The default  silent_client.frame_fail_threshold varies from “8 – 30” depending on the Firmware version on the system and this can be changed with the help of AP Boot script. However, before any changes i would advise you to get some tips from Experts.

 

 

System commander Script for troubleshooting Fortinet Infrastructure AP reboot/radio reset issues

Its sometime get tough troubleshooting an AP Reboot issue. While troubleshooting Fortinet WiFi APs, You might need to capture the AP flash event log to identify the cause of reboot. However, some time AP flash space ran out  already storing Maximum logs files(This could happen if AP is Up and running log time in production or there are many events happening in AP that filled up the space soon). In this case you might need to clear those flash log space, so it can store the latest/ fresh log files.

This is needed because you making sure that those are latest logs of the crash/reboot happened.

#You run the following command on AP to clear the old flash logs:

file areaerase logk0 

file areaerase logk1

#You run the following command to read the flashlogs in the AP:

flashcmds show logk0

flashcmds show logk1

However, Incase of big deployments where you cannot run this on each AP separately and  also without causing WIFI service disruption you have to run this at-least on a bunch of AP to save your time. We have something called “system commander” where you will be executing a script to clear those AP flash logs.

Step1:

To use the system commander tool you have to enable telnet on the controller.
FortiWLC# configure terminal

FortiWLC(config)# telnet enable

Step2:

Please create a folder on the c drive of your computer and copy these two files shared on the link below:
https://www.dropbox.com/s/82ir713iegxj0tt/SystemCommandExecutor_Ver14.exe?dl=0

https://www.dropbox.com/s/otrkiobxmhnhq4y/SystemCommands_AP.txt?dl=0

Step3:
Run the following commands from your computer command prompt window.

SYNTAX: cfolder_name SystemCommandExecutor_Ver14.exe -c ipaddressofcontroller-username-password -o 4 -a APMODEL -l 1

Example for AP822s: 

C:\PRAVEEN>SystemCommandExecutor_Ver14.exe -c 192.168.10.3-admin-admin -o 4 -a AP822 -l 1

Explanation:

The folder name is the name of the folder in which you have saved the files(SystemCommands_AP.txt) on c drive. The username and password are the login credentials of the controller. The logs will be saved in the same folder on c drive once the loop is completed.

If you look at the syntax it has AP model mentioned in that so please choose the AP model accordingly, depending on for which AP you want to collect the logs.
* For any and all AP reboots we need to run this to gather AP reboot logs (file areaerase logk0/logk1)
* After collecting Disable Telnet

1. On the command prompt we need to specify AP model. Since we can only collect with particular AP type. If customer has mixed AP environment we need to collect separately for each AP model.
2. If we have any AP which is disable offline. Make sure to delete that entry before running System commander, since loop will end at that point and we don’t have option to start again from there. (Ex: If we have 100 AP on network and AP ID 44 is offline, loop will end at AP Id 44)

Addon :You can add more commands on the script file(SystemCommands_AP.txt) to execute and get to collect a dump of those command output’s too.

 

 

Separating your RF space for priority traffic with Single Channel Architecture and Channel Layering

Segmentation of services can be achieved by doing channel layering with Fortinet Infrastructure WiFi(SCA). By doing so you actually separate  business critical traffic  from  your non critical and Guest traffics.

There are applications like VO-WIFI and few other low latency sensitive application that need special care taken.

#Wired infrastructure :You deploy a separate Vlan and end-end QOS written and so.

#On WIFI Controller you can do inbound/outbound QOS

#The WMM supported clients have TX-OP /Access category  Q for prioritizing the voice/video traffic.

In a SCA you further get the opportunity to do Segmentation of services by creating  a separate RF space for them.

Ref Pic:

SCA

 

 

 

First universal APs @fortinet

These U- FAPs can be managed by Infrastructure controllers or Fortigate Firewalls or via Cloud based management.

Like other Fortinet infrastructure Access points it support  Single channel Architecture/ Virtual Cell or Micro cell/Native cell too.

#802.11AC#Wave2#4*4#universal

Why do you get a tiny browser pops up when you connect your iPhone to Guest network

>Apple has designed the ios devices in such a way that whenever you connect your iphone to a captive portal designed wifi network they bring it to your notice by popping up a tiny browser  that you have to authenticate to get on internet.

>How does this work on the background?

155.726863 192.168.242.85 -> 192.168.242.15 DNS Standard query A captive.apple.com
155.901921 192.168.242.15 -> 192.168.242.85 DNS Standard query response CNAME captive.apple.com.edgekey.net CNAME e7279.dsce9.akamaiedge.net A 104.72.84.134
155.929087 192.168.242.85 -> 104.72.84.134 TCP 65431 > http [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1416 WS=5 TSV=760100837 TSER=0 SACK_PERM=1
155.930144 104.72.84.134 -> 192.168.242.85 TCP http > 65431 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSV=8650997 TSER=760100837 WS=0

>Once the devices gets a IP address the iphone tries to send traffic to captive.apple.com and if gets any reply the device knows that the user have already authenticated.

>If  the device not able to reach the captive.apple.com then it understands that there is a captive portal to authenticate  further.

>In this sample capture the device gets a response from 104.72.84.134 , he know that it does has internet access and CNA is not required.

Successful wifi 802.1x Connection with a client station log

>This is for EAP-PEAP(MSCHAPV2) and you see 8 EAP IDs and 8 msg ids in this sucessfull Exchanges.

>You will also see the EAP codes between the suppliant <–> authenticator and msg code between authenticator <–> authentication server.
>You get to see the 802.11i fourway handshake to complete the PTK and GTK encryption keys generation for secured data transfer over the AIR.
>Once after the layer2 authentication over the client sends IP request on L3.
>Wifi controller discovers and add the MAC address and the respected IP address in its BDB.

2016-Dec-23 11:16:15.382003 | 78:4f:43:29:a2:a8 | Station Assign | <AID=1>[bgn](v0) assigned to <AP=3> ESSID=smart_connect B-BSSID=00:0c:e6:02:40:83 Ch=6 reason=Station probed
2016-Dec-23 11:16:15.409153 | 78:4f:43:29:a2:a8 | 802.11 State | <AID=1>[bgn](v0) state change <old=Unauthenticated><new=Associated><AP[3]=00:0c:e6:35:70:10> ESSID=smart_connect Ch=6 B-<BSSID=00:0c:e6:02:40:83>
2016-Dec-23 11:16:15.409599 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=0> <EAP code=request> <EAP ID=1> <EAP type=Identity> sent
2016-Dec-23 11:16:15.409634 | 78:4f:43:29:a2:a8 | 802.11 State | <AID=1>[bgn](v0) state change <old=Unauthenticated> <new=Associated> <AP=3> ESSID=smart_connect Ch=6 B-<BSSID=00:0c:e6:02:40:83>
2016-Dec-23 11:16:15.412198 | 78:4f:43:29:a2:a8 | CP User Authentication | Received smm-clear from wncreg <User=test@foritnet.com> <Auth type= Radius User> <Captive Portal Profile= Smart_connect>
2016-Dec-23 11:16:15.556572 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=1>
2016-Dec-23 11:16:15.556806 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=0> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.572894 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.636758 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=2>
2016-Dec-23 11:16:15.636763 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=1> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.667097 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=3> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.726747 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=3>
2016-Dec-23 11:16:15.726751 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=2> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.755076 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=4> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.806708 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=4>
2016-Dec-23 11:16:15.806712 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=3> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.856416 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=5> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.916656 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=5>
2016-Dec-23 11:16:15.916661 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=4> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:15.945510 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=6> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:15.996644 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=6>
2016-Dec-23 11:16:15.996648 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=5> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.010998 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=7> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.076481 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=7>
2016-Dec-23 11:16:16.076625 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=6> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.242356 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=8> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.296473 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=8>
2016-Dec-23 11:16:16.296629 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius <msg code=access_request><msg ID=7> sent <ip=192.168.138.231>:<port=1812>
2016-Dec-23 11:16:16.298428 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> Radius ACCESS-ACCEPT received : Session Timeout: 448981 sec, VLAN Tag : 0, Filter id : , CUI : None
2016-Dec-23 11:16:16.298587 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> <pkt type=EAP_PACKET> <EAP code=success><EAP ID=8> <info=relay eap-request from Radius> sent
2016-Dec-23 11:16:16.299526 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M1 <msg type=EAPOL_KEY> PTK sent
2016-Dec-23 11:16:16.416797 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M2 <pkt type=EAPOL_KEY> MIC Verified
2016-Dec-23 11:16:16.417688 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M3 <msg type=EAPOL_KEY> WPA2 PTK Negotiation sent
2016-Dec-23 11:16:16.476605 | 78:4f:43:29:a2:a8 | 1X Authentication | <AID=1> M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise
2016-Dec-23 11:16:17.920539 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=DISCOVER><server_ip=255.255.255.255><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0>
2016-Dec-23 11:16:17.921364 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=OFFER><server_ip=192.168.242.1><server_mac=00:09:0f:09:ff:11><offered_ip=192.168.242.85>
2016-Dec-23 11:16:18.928163 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=REQUEST><server_ip=255.255.255.255><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0>
2016-Dec-23 11:16:18.929344 | 78:4f:43:29:a2:a8 | IP Address Discovered | <Old IP discovery Method=none><Old IP=0.0.0.0><New IP discovery Method=dhcp><New IP=192.168.242.85>
2016-Dec-23 11:16:18.929517 | 78:4f:43:29:a2:a8 | DHCP | <msg_type=ACK><server_ip=192.168.242.1><server_mac=00:09:0f:09:ff:11><offered_ip=192.168.242.85>
2016-Dec-23 11:16:20.221679 | 78:4f:43:29:a2:a8 | Station Assign | <AID=1>[bgn](v0) removed from <AP=3> ESSID=Guest B-BSSID=00:0c:e6:02:c3:55 Ch=6 reason=Inactivity timer expired