Will wireless clients connect to access points with the same SSID regardless of the wired network?

3

In reference to How can I get the same SSID for multiple access points?, particularly this line

Wireless clients just assume that all APs with the same SSID are configured similarly and are all just different points of access to the same underlying wired network.

I was wondering if this applies to networks that are on different wired networks. For example let's say that John Doe has a network named Doe Internet, and Jane Doe who lives nearby has the same SSID, Doe Internet, and neither of them have a password protection, will wireless devices such as laptops and phones roam freely from one network to the other? Is there a way to configure access points on different wired networks to act as the same network?

Bonus question: does this pose security threats to people who could potentially enter onto a malicious network created by an attacker, using the same name as a nearby network?

--EDIT--

I guess I wasn't clear enough with my question. I would like to make two access points for two different wired networks look like one network, is this possible?

--EDIT #2--

Everyone should obviously use a password on all WiFi networks always, this scenario was just to create the dead simplest example possible.

OneChillDude

Posted 2014-07-20T19:01:18.007

Reputation: 137

Any unsecured wifi pose some risk. A bad guy pulls up to your neighborhood and connects to your wifi, because it is open, and worst case situation triggers a (miles away)bomb and drives off unnoticed. The computer will default attach to the access point of SSID with strongest signal. – cybernard – 2014-07-20T19:26:20.763

Comment based on your edit: Yes it is possible, but if they are different networks behind it, it may give weird results. If the idea is purely to share internet, the problem will not be that big, as the closest one will be connected to until you get out or reach. Do note that using no password is a bad idea, and when abused, it is likely that the affected network will lose the internet connection by shutdown from the ISP due to illegal activities. – LPChip – 2014-07-21T12:09:50.637

Answers

4

Wi-Fi clients can't tell, before they connect, what wired network a given AP will connect them to.

So if you have two APs publishing the same SSID with the same security type and password (or no security at all), clients will roam to it thinking it's part of the same underlying network. If the two APs actually connect to two different underlying IP subnets, this will break all the higher-level connections or traffic flows (SSH sessions, TCP downloads, video streams, mounted file servers, etc.) that the client had in progress.

In a worst-case scenario that's all too common, if both APs are acting as NAT gateways and using the same private IP subnet, a poorly-written client may not even realize it has switched networks, and may keep sending its Internet traffic to the MAC address of the old AP, not the new AP, until the ARP entry for the router times out. Apple's client devices (OS X and iOS) do something called DNAv4 ("Detecting Network Attachment in IPv4": RFC 4436) to make sure this doesn't happen to them. Whenever a Mac or iOS device's Wi-Fi interface says it has roamed from one AP to another, the network stack and DHCP client double-check that this is really the same network, in order to more quickly re-establish proper connectivity. I called this out in my answer to "How can I get the same SSID for multiple access points?".

By the way, I need to point out that some other Answers to your question are spreading a false myth. Most client implementations WILL NOT look at all "saved" SSIDs for roaming if they're still attached to an AP for one SSID. Most client implementations will stick on the current SSID, and only try to roam within APs of the current SSID, unless the client becomes completely disconnected from the current SSID. The (incorrect) behavior the other Answers describe would completely suck, because let's say you live in the apartment above a Starbucks, and your AP is in the living room, but back in the bedroom, the Starbucks AP is stronger than your own AP. You don't want your client to roam to the Starbucks AP just because it's stronger.

Switching to other "saved" SSIDs only happens if you're completely off the network, such as when your AP is completely out of range (or off or crashed), or on boot, or possibly wake-from-sleep (but I argue that even wake-from-sleep algorithms should make an attempt to get back on the last SSID they were on, especially after a short sleep, in order to provide the best network service continuity).

Edited to add: I should point out that neither the IEEE 802.11 standards nor the Wi-Fi Alliance's specifications and test/certification programs specify the exact roaming and "preferred/saved" network-joining behavior of 802.11/Wi-Fi clients. I've described the behaviors of clients I'm most familiar with (Apple clients), but it's entirely possible that there are poorly-implemented clients out there that do dumb things.

Spiff

Posted 2014-07-20T19:01:18.007

Reputation: 84 656

I can see why you have 34K rep. Is it possible to intentionally design a WiFi network that allows clients to roam from AP to AP on different subnets? – OneChillDude – 2014-07-21T21:01:15.737

1

@BrianWheeler You can do it intentionally, but you'll be intentionally breaking clients' TCP connections and UDP flows whenever they roam. IPv4 Mobility never really caught on. Neither did SCTP or MPTCP. Many enterprise-class AP vendors have Wi-Fi mobility tricks where they watch for a client roaming from one building to another, and they tunnel that client's traffic back to its previous subnet so it doesn't lose connectivity. This can confuse users for why they're on the same SSID but different subnet than their colleagues in the same meeting room.

– Spiff – 2014-07-21T21:07:21.700

thanks for all the help! Has anyone ever written an RFC on this IPv4 mobility hack? Is there anywhere I could find some documentation for it? I really appreciate the detailed answer by the way – OneChillDude – 2014-07-22T02:50:30.070

1

A wifi network will stay connected to its access until the signal is too low. It will then search for the strongest signal, going for all SSID's that have been set as "connect to this network when in range" first.

So yes, it can cause to switch from one network to another.

Having a wifi network without a password is a bad thing though. Having 2 wifi networks with the same SSID is not a good idea either, but it won't cause much harm unless they are relatively close and has different passwords. It can happen that it will not connect to your own network because that other network's signal is detected as a stronger signal earlier.

So simply put: Never use the same SSID unless it is for the same network and the password is also the same.

As for your bonus question: if you have your network protected with a password, and someone creates a same network without a password, and you have this SSID set as favorite, it will try to login to that network with the password you stored, but it will do that encrypted, so they cannot decode your password, and because the password is not right, you will not connect to their network either.

Then again, as long as your signal is strong enough, you will not switch to a different network either until the lease of the DCHP has ended, but even then, your wifi is likely to have a stronger signal. So you should not be concerned about being able to switch to a different network. In theory that just is a very unlikely scenario to be possible, and the hacker in question would not have time for such elaborate deception anyway.

LPChip

Posted 2014-07-20T19:01:18.007

Reputation: 42 190

1

will wireless devices such as laptops and phones roam freely from one network to the other?

  • Yes, your device (laptop, phone or any wi-fi equipped device) will search for SSID's that you saved. If one is found (wether its from Jane Doe or John Doe), it attempts to connect. Once either networks has some security measures like MAC-filtering, you will get into trouble connecting to it. I doubt this has effect on the one without security measures, however it may conflict as they will conflict with each other.

Is there a way to configure access points on different wired networks to act as the same network?

  • Yes, this can be achieved by using the repeater modus, if this is supported by the AP.

does this pose security threats to people who could potentially enter onto a malicious network created by an attacker, using the same name as a nearby network?

  • Not necessarily, this is fully dependent on how the main-router is secured (MAC-filters, port filtering, encryption, password sensitivity etc.)

Rowan Kaag

Posted 2014-07-20T19:01:18.007

Reputation: 96

Thanks for the thoughtful answer, do you think you could explain the repeater modus part a bit more? – OneChillDude – 2014-07-20T22:56:56.970

Ofcourse. In contradiction of 'roaming' e.g. using internet on another network, you're basically literally 'repeating' the signal received by the base router. So let's say that you have a modem/router and an AP, your AP will connect to your router as if it were a device, and automatically send out that same configuration whilst re-routing all incomming and outgoing data to the original router. Hope this helps you out. – Rowan Kaag – 2014-07-20T23:08:31.323

-1

I'm not sure about which network will take priority (probably the nearest one/one with the strongest signal) but if your device is configured to connect to a router with n name, it doesn't discriminate. If it has the name and it can connect, it will. And yes to your bonus question, the malcontent network owner can monitor the network activity and (in theory) gain personal information that the user may have entered (email, bank acc, forms that may have been submitted, etc) seen here. I never access any personal accounts unless its on a network that I trust/control and if it's on my own personal device.

slow_excellence

Posted 2014-07-20T19:01:18.007

Reputation: 216

I'm sorry, but your information is incorrect. If you aren't sure, please don't post an answer. – LPChip – 2014-07-20T21:00:13.797

How exactly is it incorrect? You basically posted the same answer yet completely missed the bonus question. – slow_excellence – 2014-07-20T21:02:19.353

Read my answer again then, paragraph 5 starts with: As for your bonus question:... – LPChip – 2014-07-21T06:55:58.587

I meant that your answer was completely off. Yes you gave an answer, but it was completely unrelated to the question that Brian asked. – slow_excellence – 2014-07-21T11:25:35.037

Asked: 2014-07-20T19:01:18.007

Viewed: 9 817 times

Active: 2014-07-21T20:56:26.330