DL MU OFDMA bit-by-bit

There are a lot of blogs, podcast and videos at the internet explaining 802.11ax at a high level. And some have done testing with 802.11ax compatible devices. But I have not found anyone that explains 802.11ax at a deep level. So why not me

The last year, since I bought the Perahia and Staceys book “Next Generation Wireless LANs”, I have been interested in the PHY-level of 802.11. And to go deep at 802.11ax I had to buy the 802.11ax, Draft 4.0.
There are so many new topics in the 802.11ax technologies so I had to make usecases for some of the topics and I have choosen the MU OFDMA process. This first blogarticle, in a series of articles, are about the frame where the AP sends data down to stations that needs data, the DL MU OFDMA frame. This frame is sent in i HE MU PPDU format, one of the four different frame formats in the 802.11ax standard.

Later on I will cover other aspect of the MU OFMDA process, like the MU-RTS/CTS process, the uplink OFDMA (UL MU OFDMA) process and the Acknowledgement process

Nothing of this is testet in real world, it’s picked out of the 802.11ax draft

DL MU OFDMA is the process where the AP sends data down to several stations that need/want data in a parallell process. In this slides I have used a example where four stations receives data in parallell. The AP have, before it starts to send data, decided how it should allocate its RUs.

A overview of this frame (PPDU) is like this

DL OFDMA transmission overview

The presentation (slides) could be downloaded at this link (pdf)

DL MU OFDMA,bit-by-bit

If someone have constructive feedback I would be grateful

Useful links

  • Cleartosend 802.11ax podcast-series,  link
  • David Colemans presentation at WLPC_US 2019, link
  • Wifininjas, link
  • IEEE 802.11ax draft 4.0 ($400), link


Pcap-quiz #1, 802.1X/EAP Authentication and Roaming

I have over a periode of time had a wish to make some pcap-quiz into the wireless community. And its time to jump into it

I am using this method

  • Make a topology file that shows the network and all necessary data like mac-addresses and so on
  • Take a wireless capture while i’am doing something with the clients
  • Filter the pcap to reasonable sizes containing frames/packets that matters
  • Make a questionare
  • copy the same file and fill in some answers
  • Zip it in a downloadable file


Back in January 2019 I startet do play with WlanPi and packet capturing. Nigel Bowden had a article where he showed how to do packet capturing with the WlanPi and a compatibel WiFi-adapter on a Windows client. I ask him to update his script so that the WlanPi could capture 80MHz channels. And he did. Nigels link

Under my testing I discovered that the WlanPi could capture on four separate 20MHz-channels in a 80MHz-channel.  See my blog article

Peter Mackenzie did a deeper analysis on my pcaps and wrote a article where he explained what happens much better than I can do in english. Peters link

The point is that with my Realtek 8812AU adapter on the WlanPi it can capture 4 different 20MHz-channels in one capture, instead of using four adapters. Yes, it has some limitations. But in a lab environment its good enough.

In the zip-file I attached to this article is a pcap capture where the WlanPi captures on a 80MHz channel and it is 4 different APs each configured with the same SSID on 20MHz. Channel 36, 40, 44 and 48. The WlanPi is set to primary channel 36. That is the reason why the 802.11 radio information in Wireshark reports channel 36 for all 4 APs.

The original capture has almost 100.000 frames beause all clients also did pinging to the default gateway, just to create some traffic. I have filtered out the frames that matters to this questionare. It is the mangement- and EAPOL frames, so the capture contains only 8695 frames

Here is the case

  • 4 AP, each at 20MHz using channel 36, 40, 44 and 48
  • The pcap file contain captures from all four channels
  • The network uses 802.1X/EAP authentication, so all clients/suplicants communicate with a authentication server (Radius-server) during 802.1X/EAP authentication
  • Three clients, a MacBookPro, a iPAD and a Samsung A5. The iPAD and the Samsung  does a roam during the capture
  • Fast roaming is enabled
  • The questionare have 5 questions about 802.1X/EAP authentication and 5 questions about roaming
  • The topology file contains all mac addresses that matters
  • Eddie Forero had a awesome presentation during WLPC_US using Wireshark and how to customize it
  • Brian Long had a presentation at WLPC_US regarding 802.1X/EAP authentication


The zip-file:    Pcap Quiz #1


Please try it and make some comments. Next time it will be more against 802.11 radio informations

We all know that a pcap contains frames, but I changes between writing frames or packets all the time

Usable links
Gjermunds article about fast secure roaming, part 1  part 2
Eddie Forero, WiFiShark Fu, youtube video, Link
Brian Long, The Anatomy of the 802 1X Association, youtube video  Link


Using WLANPi to capture on four 20MHz-channels

I have always thought that capturing wireless frames on several channels must have been done with several NIC-adapters in monitor mode. I have seen several pictures and videos showing 4, or even 8, adapters in a usb-hub, each capturing on a single 20MHz-channel.

But last week I used my WLANPi and the script from Nigel Bowden to capture on a 80MHz-channel. And what do I see when capturing at UNII-1 with 4 APs, each at 20MHz and using channels 36, 40, 44 and 48

Beacon from all 4 APs

In Wireshark each beacons radiotapheader reports channel 36, so thats little misleading. This is the channel you use when starting the script. But the HT Information Element in the beacons carry primary channel information, so using that as a colum it’s easy to see that I am capturing at every 20MHz-channel in the 80MHz-space.

This figure shows those four beacon with the same SSID where the radiotap header report channel 36, while til primary channel in HT IE report its correct channel


To check if I could capture roaming between those four APs I did a simple test.
– 4 AP in my office, 20MHz, channel 36, 40, 44 and 48
– associate my test client to the SSID
– waited til the test client was associated. On Android, Network Analyzer from technet is very useful to see the association status and associated channel
– disabled the AP the test client was associated to
– waited til the client had roamed to another AP
– and so on

This figure shows the (re)association request and (re)association response. As we can see, the test client roamed between all four AP. The (re)association response also carry the HT Information Element and its primary channel

This is a simple test in a very low congested environment and the likelihood for a simultaneously transmisson in each BSSID is low.
If the RF environment are higher congested the likelihood for collision at the capturing device is higher, even it’s not a collision inside the BSSID. So we must assume that the capture could miss some frames.

If you want to test this by yourself, here is the link from Nigel Bowden for the WLANPiShark


I hope this is useful



Make TPC work, is it possible? Part 2, from the WLC perspective

My recent blogpost was a theoretical approach using Ekahau ESS to find out if its possible to use Cisco WLCs TPC algorithm to set Tx-power on my access point according my predictive design in ESS

My design was based on Cisco 2802i access points, primary/secondary coverage -67dBm/-75dBm, Tx-power at 25mW/14dBm and 5GHz only

My conclusion from the theoretical approach was that the WLC would have problems with a consistent Tx-power setting. But I would give it a try

The access points was installed at theirs correct place and everything was default on the controller.

Ciscos RRM white paper uses the WLC CLI command “show advanced 802.11a summary” to show both Rx_neighbors and Tx_neighbors. On my WLC that command had a shorter output

So I used these two CLI-commands on the WLC

  • show advanced 802.1a txpower
    • That command gave me allowed power levels and it showed that 17dBm was Tx_max
  • show ap auto-rf 802.11a <ap name>
    • That command gave me nearby APs. How other AP hear us = Rx_neighbor.
    • Since each AP was represented with it base BSSID with hex-value “f” at last digits it became some work with excel to find corresponding 3´strongest Tx_neighbor

I will not show that excel-spreadsheet, but I will summarise it

Next table show the RSSI_3´strongest and Tx_ideal from my predictive approach and measured values on the WLC
Remarks: I used Tx_max =20dBm in my last blog. The value of Tx_max is adjusted to 17dBm

RSSI_3´strongest and Tx_ideal from predictive and WLC-output datapoints
Tx_max = 17dBm RSSI_threshold= -70dBm
Predictive WLC output
3´strongest AP Tx_ideal (dBm) 3´strongest AP Tx_ideal (dBm)
AP1 -91 38 -88 35
AP2 -80 27 -86 33
AP3 -82 29 -82 29
AP4 -78 25 -84 31
AP5 -72 19 -81 28
AP6 -74 21 -85 32
AP7 -74 21 -72 19
AP8 -73 20 -84 31

As we can see AP1, AP2, AP3, AP4 and AP7 is fairly close between predictive and what he AP has measured (less than 6dB difference), but for AP5, AP6 and AAP8 the difference is huge (9-11dB).
Since all APs had calculated Tx_ideal above Tx_max every AP used power level 1 (17dB)

Next was adjusting the RSSI_threshold in the WLC TPC algorithm from its default value at -70dBm to -80dBm.
Next table compare the predictive approach and the calculated values on Tx_ideal and corresponding Cisco power levels based on measured values

TX_ideal and power levels from predictive and WLC-measured datapoints
Tx_max = 17dBm RSSI_threshold= -80dBm
Predictive Measured
Tx_ideal(dBm) Power level Tx_ideal (dBm) Power level
AP1 28 1 25 1
AP2 17 1 23 1
AP3 19 1 19 1
AP4 15 1 21 1
AP5 9 ´3-4 18 1
AP6 11 3 22 1
AP7 11 3 9 3-4
AP8 10 3 21 1

As we can se from the table on measured values the only AP that should change its Tx_power is AP7, even if we adjust the RSSI_threshold to its absolute minimum. AP7 has its calculated Tx_ideal based on measured values at 9dBm and the WLC set it on power level 3 (11dBm)

This leads to that 7 of my APs transmit at max power level (17 dB) and only one of the APs in the middle of the floor reduces its power level. This it not a good wifi-network.

During my research for this blogarticle a find five youtube-videos from Jerome Henry where he goes a RMM deep dive, check references

Two key element he says is

  • The TPC algorithm kick in when you have 3 AP-neighbors at -70dBm or higher (or your configured RSSI_threshold or higher)
  • The TPC algorithm is only used to automatically lower your Tx_power. The Coverage Hole Detection  is used to increase your Tx_level

My design with -67dBm/-75dBm and Tx= 25mw is no way near the TPC-goal to have three AP-neighbor at RSSI_threshold or higher, especially those in the outer edge of the floor

To have APs with consistent Tx-power its two choice

  1. Go for static Tx-power on the APs
  2. Limit the TX_min/Tx_max in your RF-profile to the values you want



Cisco RRM white paper, 2018
Jerome Henry youtube-videoseries, 5 videos 
mrn-cciew rrm-blogposts

Part 3 in this blog series will be on DCA

I´ll be back

Make TPC work, is it possible? Part 1, theoretical approach

I started my wifi-career in 2016 with Cisco WiFi-Fundamental as self-study. While reading about Radio Resource Management (RRM), Transit Power Control (TPC) and design principles I wondered how the network and the controller (WLC) was able to set the transmit power (Tx) on each AP according to design requirement. Since then I have read through CWNP-programme, Cisco RRM white paper and some  Cisco Design Guides and recommendations. Two ECSE–courses has also been completed. One instructor recommended static design and the other recommended tuning of TPC/RRM parameters

Now I am in a process of designing WiFi in one of our buildings and I’m using Ekahau Site Survey and Planner (ESS) to design the wifi-network.

So I thought why not play with ESS to give me some theoretical datapoints so that I could predict a value for RSSI_threshold for my TPC settings.

The building is 4 floors, where only second floor will get proper WiFi-design. The floor is 41 x 36m (136 x 117ft). The offices is along the outer wall, some meeting rooms in the middle and a cantine in one corner. The office walls is drywalls and set to 2dB attenuation and walls in the centre is concrete wall (12dB).

Design requirement is

  • Signal strength:  -67dBm/-75dBm
  • Accesspoint: Cisco 2802i
  • Some area don´t need coverage according to requirement, aka exclusion area
  • Tx-power on access point during design phase at 14dBm or 25mW
  • Designing for 5GHz, turning off enough 2,4GHz radio to have at least -67dBm from one AP at the entire floor. Eventually turn up 2,4Ghz TX-power so that only 3 2,4-radios is enabled
  • Split SSID (separate SSID for 5 and 2,4GHz)


Design from ESS, showing secondary coverage and slider set to -75dBm
Screen Shot 2018-09-12 at 22.11.52.png

Cisco RRM White Paper tells that for TPCv1 the APs measures two different signal levels. RX_neighbor is how good the AP hear other APs during NDP-packet process and Tx_neighbor is how good other AP hear us. For TPCv1 calculations the Tx_neighbor level are of interest.

To find out this in ESS I turned up each APs power level at 5GHz to 20dBm or 100mW. To simplify this test lets assume 20dBm is maximum allowed power level in our regulatory domain. Then shift ESS to Signal Strength for Selected AP and turn one AP after another and simulate. I used the slider for signal strength and adjusted that so  the edge between want and don´t want area or between don´t want and don´t care  area touches the other APs. In this example below two access points, AP2 and AP8,  hear AP7 at -63dBm and AP5 a -74dBm
Remember to change ESS visualization heights to 2,4m. Default in ESS is 1m
Screen Shot 2018-09-13 at 09.20.20.png

Simulation of how each AP is heared on the other APs (Tx_neighbor) is gathered together in this table

Tx  = 20dB / 100mW
Receiver level, Tx_neighbor (dBm)
Transmitter AP1 -91 -65 -65
AP2 -59 -95 -62 -80
AP3 -59 -49 -82
AP4 -49 -78 -76
AP5 -76 -57 -72 -72
AP6 -65 -57 -90 -74
AP7 -63 -80 -76 -74 -63
AP8 -64 -80 -73 -75 -64

Cisco uses the 3´strongest Tx_neighbor in it´s TPC calculations. This values is in bold text in the table above

The formula that Cisco use to find the ideal Tx-power level on each AP is

Tx_ideal = Tx_max + (RSSI_threshold + RSSI_3´strongest AP).
Tx_ideal = 20dBm + (-70dBm + RSSI_3´strongest AP)

Tx_max is maximum allowed Tx-power in the regulatory domain. In this test that level is set to 20dBm.
If we then use this formula to find the ideal Tx-level on our access point and use the default RSSI_threshold value from Cisco WLC (-70dBm) we have those Tx-levels on our APs

Tx_ideal (dBm) with RSSI_threshold = -70dBm
AP1 41
AP2 30
AP3 32
AP4 28
AP5 22
AP6 24
AP7 24
AP8 23

As we can see in this table the WLC has calculated that each AP should have a Tx-level above Tx_max, so all APs will be set to Tx_max; 20dBm or power level 1.

This does´t fit our design requirement where Tx should have been 14dBm

Cisco WLCs can configure the RSSI_threshold between -50dBm and -80dBm in the RF Profiles. Default is -70dBm

Lets us reorganise our formula to give us RSSI_threshold based on fixed Tx level at 14dBm.

RSSI_threshold = Tx_ideal – Tx_max + RSSI_3´strongest AP.
RSSI_threshold = 14dBm -20dBm+ RSSI_3´strongest AP

RSSI_threshold for Tx = 14dBm
AP1 -97
AP2 -86
AP3 -88
AP4 -84
AP5 -78
AP6 -80
AP7 -80
AP8 -79

Our calculated values for RSSI_threshold is between -78dBm and -97dBm, so lets try with RSSI_threshold to  -80dBm for all APs

Tx_predicted =Tx_max + (RSSI_threshold_configured + RSSI_3´strongest AP)
Tx_predicted = 20dBm + (-80dBm + RSSI_3´strongest AP)

Our Tx_predicted will then be

Tx_predicted (dBm)
AP1 31
AP2 20
AP3 22
AP4 18
AP5 12
AP6 14
AP7 14
AP8 13


Now we are at least inside power levels that are useable for our APs, except AP1 and AP3. If we adjust these levels to useable power level in Cisco WLC (20/17/14/11 … dBm) we get these power level (in dBm and Cisco power level) that APs should stabilize at after a DCA restart

dBm Power level
AP1 20 1
AP2 20 1
AP3 20 1
AP4 17 or 20 1 or 2
AP5 11 or 14 3 or 4
AP6 14 3
AP7 14 3
AP8 11 or 14 3 or 4

But still only AP5, AP6, AP7 and AP7 will be at or near Tx-level from the design.

Conclusion from this very theoretical approach is that there is difficult to use the TPC algorithm and RSSI_threshold in the WLC to configure our WiFi-network according to our requirement.

Then we have three options

  1. Let the WLC be at default config and pray for good result
  2. Turn of TPC algorithm, aka static Tx levels
  3. Tune TPC Tx_max/max for all APs in that RF-profile/AP-group to 14dBm



  • Real wall attenuations don´t match the design
  • Tx_max is not 20dBm in our regulatory domain
  • I am way off on understanding Cisco RRM/TPC
  • ESS calculations are unreliable

Next step is to install the APs and play with the configuration in the WLC and test if my theoretical approach and practical test corresponds

I´ll be back

Cisco RRM White Paper, 2018

Fast Secure Roaming, part 2

My last blog was about some flavours of fast secure roaming (FSR). Based on feedback from the community, especially from Nicolas Darchis (thanks), I´ve learned that its possible to enable fast secure roaming with both AKM-suite 1 (WPA) and AKM-suite 3 (FT over IEEE802.1X) on the same wlan (also possible with PSK). Cisco calls it Hybrid Mode

We can configure our Cisco WLC like this; enable Fast Transition and both 802.1X and FT 802.1X AKM-suite. The controller will warn you that some non-802.11r clients may not join this WLAN
Screen Shot 2018-06-03 at 16.02.53

If we now look at the beacons or probe responses (from the AP) it will contain both AKM-suites in the RSN information element and the Mobility Domain information element. Like this.
Screen Shot 2018-06-03 at 16.05.46

When a client wants to associate to this WLAN it will recognize those two AKM-suites and dependent of its own capabilities it will use one of these during association and re-association.
But why do we get the warning from the WLC during configuration and what about adaptive 802.11r. I have search on the web regarding this and found a Cisco support forum-case where Jerome Henry explains it, look here

A short brief (from that article)
It is basically 3 sort of clients (in regards to 802.11r)

  1. Those that support 802.11r (802.11r enabled)
  2. Those that not support 802.11r, but are not against it. They are 802.11r-compatible, but not 802.11r-enabled
  3. Those that are allergic to 802.11r. They do not support 802.11r, and refuse to associate to any WLAN where 802.11r is mentioned, even if other methods are also allowed on this WLAN

Testing in lab
I tested in my lab-network with WLC-configuration mentioned earlier and the same network/method as my last article. My test clients are a Samsung A5 (pretty new but simple Android-smartphone), an older Sony Z2 (smartphone on Android), iPAD2 (iOS ver 11.2.5) and a Lenovo Windows-client with Intel 6205 NIC.
Packets captures the initial association to original AP and captures on target AP when client roams. Cisco WLC-code is 8.3.122
The result

Client OS Original AP Target AP Remark
Samsung A5 Android open authentication, open association, 802.1X/EAP-authentication, 4-way handshake open authentication, re-association with PMKID in RSNIE, 4-way handshake 802.11r compatible, but not enabled
iPAD2 iOS open authentication, ft-association, 802.1X/EAP-authentication, 4-way handshake ft-authentication and ft-reassociaton 802.11r enabled
Sony Z2 Android open authentication, ft-association, 802.1X/EAP-authentication, 4-way handshake ft-authentication and ft-reassociaton 802.11r enabled
Lenovo laptop with Intel 6205 NIC Windows open authentication/association, 802.1X/EAP-authentication, 4-way handshake open authentication, re-association with PMKID in RSNIE, 4-way handshake 802.11r compatible, but not enabled

As we can se all client does fast secure roaming either with 802.11r( Fast BSS Transition) or Opportunistic Key Caching (OKC).
So what about category 3-clients that don´t bother to associate to this network. I haven´t find any overview over those clients. But best practice is to test your most important clients before implementation and if those weird client shows up they could enter a guest-WLAN.

What is the purpose of adaptive 802.11r
Cisco have a feature called adaptive 802.11r. Since my last blog I have wondered what the purpose of that, since enabling both WPA/OKC and FT on same WLAN works well. And again Jerome Henry in the same support forum case explains it best, look here

Adaptive 802.11r is a feature in a network where 802.11r is not enabled. With adaptive 802.11r turned on, iOS-devices will recognize 11r-feature and use FT.  The other clients continues as before.
802.11r/FT for all clients (hybrid mode) would then be implemented after we had controlled our clients. We can look at adaptive 802.11r as a “zero-risk implementation” of 802.11r that helps IOS-devices to roam faster, without checking 802.11r-compabilities on all the other clients

MacBook (macOS)
I have not tested MacBook (MacOS) thorough since I use my MacBook for packet capture through Airtool. My80211.com have a great article on roaming behaviour on MacOS. But I did a short roaming test on my MacBook and I notice that it will not roam fast although RSSI from my original AP was -84dB and the target AP was 1m away from the client.  It used several minutes before it roamed and that breaks with the -75dB rule I have learned earlier. So I have something to check