The IEEE 802.11 Standard Explained

What Is 802.11?

IEEE 802.11 is the specification that defines WiFi. Not a summary of WiFi, not an overview - the actual, complete technical definition. Every WiFi chip, access point, and client device implements some version of this standard. The current consolidated version, IEEE 802.11-2020, is over 4,000 pages long.

The standard is maintained by the IEEE 802.11 Working Group, which has been active since 1990. Unlike RFCs, which are freely available, the IEEE 802.11 standard is a commercial publication. However, IEEE makes the standard freely accessible through their IEEE GET program approximately six months after publication. The 802.11-2020 revision is available for free download through IEEE Xplore with a free IEEE account.

Understanding this standard is not strictly necessary for using WiFi tools. But if you want to understand why WPA2 handshakes work the way they do, why deauthentication frames are unauthenticated (and why 802.11w changed that), or what the differences between WPA2-Personal and WPA2-Enterprise actually are at the frame level, this is where you find the answers.

The Amendment System

gantt
    title IEEE 802.11 Amendment Timeline
    dateFormat YYYY
    axisFormat %Y
    section Core Standards
    802.11-1997 (Original)       :1997, 1999
    802.11-2007 (Consolidation)  :2007, 2012
    802.11-2012 (Consolidation)  :2012, 2016
    802.11-2016 (Consolidation)  :2016, 2020
    802.11-2020 (Current)        :2020, 2025
    section Speed Amendments
    802.11b (11 Mbps)    :1999, 2003
    802.11a (54 Mbps)    :1999, 2003
    802.11g (54 Mbps)    :2003, 2007
    802.11n/Wi-Fi 4      :2009, 2013
    802.11ac/Wi-Fi 5     :2013, 2020
    802.11ax/Wi-Fi 6     :2021, 2025
    section Security Amendments
    802.11i (WPA2/RSN)   :2004, 2007
    802.11w (Protected Mgmt) :2009, 2012

Major 802.11 amendments by category - each amendment adds to the base standard until the next consolidation

802.11 does not get rewritten from scratch each time. Instead, the working group publishes amendments - lettered additions that modify or extend the base standard. The original 1997 standard was 802.11. Then came 802.11a (5 GHz OFDM), 802.11b (2.4 GHz CCK at 11 Mbps), 802.11g (2.4 GHz OFDM at 54 Mbps), and so on through the alphabet.

The letters have reached "be" as of recent drafts, which means the working group has gone through the entire alphabet once and is now using two-letter suffixes. 802.11ax is Wi-Fi 6, 802.11be is Wi-Fi 7.

Periodically, the IEEE publishes a consolidated revision that rolls all active amendments into a single document. The most recent is 802.11-2020, which incorporates everything through 802.11ax drafts and all prior amendments. When you read the 2020 revision, you are reading the sum of decades of amendments in a single document.

This matters because when older resources reference "802.11i," they are talking about the amendment that introduced Robust Security Network (RSN) - what the WiFi Alliance branded as WPA2. That amendment's content now lives in the main standard, primarily in Clauses 4 and 12. You do not need to find the original 802.11i amendment; it is all in the consolidated document.

Accessing the Standard

There are three ways to access the standard:

IEEE Xplore (free): Create a free IEEE account and search for "802.11-2020" on ieeexplore.ieee.org. The GET IEEE 802 program makes the standard available at no cost. You get a PDF that is fully searchable and bookmarked.

IEEE SA (paid): If you need the very latest draft amendments that have not been consolidated yet, the IEEE Standards Association sells individual amendments. This is usually only necessary if you are working on bleeding-edge features.

Working group documents: Draft amendments in progress are sometimes available through the 802.11 working group's document server at mentor.ieee.org. These are works in progress and may change before final publication.

For security research, the free 802.11-2020 download from IEEE Xplore is almost always sufficient. It contains all the security mechanisms currently deployed in production WiFi networks.

Key Clauses for Security Research

graph TD
    subgraph "Clause 4 - General Architecture"
        A["4.3 - Components
STA, AP, BSS, ESS"] --> B["4.5 - Security
RSNA overview"]
        B --> C["4.10 - Services
Authentication, Association"]
    end
    subgraph "Clause 8 - Security (formerly Clause 8/11i)"
        D["8.1 - Security Overview"] --> E["8.2 - RSNA Framework"]
        E --> F["8.3 - Pairwise Key Hierarchy"]
        F --> G["8.4 - Group Key Hierarchy"]
        G --> H["8.5 - 4-Way Handshake"]
        H --> I["8.6 - Group Key Handshake"]
        E --> J["8.7 - CCMP (AES-CCM)"]
        E --> K["8.8 - TKIP (legacy)"]
    end
    subgraph "Clause 9 - MAC Sublayer"
        L["9.2 - MAC Architecture"] --> M["9.3 - Frame Formats"]
        M --> N["9.4 - Management Frames"]
        N --> O["9.6 - Deauthentication"]
    end
    subgraph "Clause 12 - Authentication"
        P["12.2 - Auth Framework"] --> Q["12.3 - Pre-RSN Auth"]
        P --> R["12.4 - RSNA Auth"]
        R --> S["12.7 - SAE (WPA3)"]
    end
    B --> D
    D --> L
    H --> P

The four clauses most relevant to WiFi security research and how they connect to each other

The 4,000+ pages of 802.11-2020 cover everything from radio frequency characteristics to mesh networking. For security research, four clauses contain most of what you need:

Clause 4 - General Description: This clause defines the architecture of an 802.11 network. It introduces the concepts of stations (STA), access points (AP), Basic Service Sets (BSS), and Extended Service Sets (ESS). More importantly, Section 4.5 provides the security overview, including the concept of Robust Security Network Association (RSNA), which is the formal name for what WPA2 and WPA3 implement.

Clause 8 - Security: This is the core security clause, evolved from the original 802.11i amendment. It defines the RSNA framework, pairwise and group key hierarchies, the 4-way handshake, CCMP (AES-CCM encryption), and GCMP (AES-GCM encryption). If you capture a WPA2 handshake with the BLEShark Nano, the four EAPOL frames you see are defined in this clause.

Clause 9 - MAC Sublayer: This clause defines MAC frame formats - the structure of every WiFi frame that goes over the air. Understanding frame formats is essential for interpreting packet captures. The management frame subtypes (beacon, probe request, probe response, authentication, association, deauthentication, disassociation) are all defined here.

Clause 12 - Security Procedures: This clause defines the authentication procedures, including both legacy open/shared-key authentication and RSNA authentication. SAE (Simultaneous Authentication of Equals), the authentication protocol used by WPA3-Personal, is defined in Section 12.4. The transition modes between WPA2 and WPA3 are also covered here.

The MAC Sublayer

Clause 9 is particularly useful when working with a WiFi scanner or packet capture tool. Every 802.11 frame starts with a Frame Control field - two bytes that tell you the frame type, subtype, and various flags.

There are three frame types: Management (type 0), Control (type 1), and Data (type 2). Management frames handle network operations like beacons, probe requests, authentication, and association. Control frames handle medium access (RTS/CTS, ACK). Data frames carry the actual payload.

Each type has subtypes. Management frame subtypes include:

• Subtype 0: Association Request
• Subtype 1: Association Response
• Subtype 4: Probe Request
• Subtype 5: Probe Response
• Subtype 8: Beacon
• Subtype 10: Disassociation
• Subtype 11: Authentication
• Subtype 12: Deauthentication

When the BLEShark Nano performs a WiFi scan, the data it collects comes from beacon frames (subtype 8) and probe response frames (subtype 5). The SSID, BSSID, channel, RSSI, and security type information all come from specific Information Elements within these management frames, as defined in Clause 9.4.

Authentication and Key Management

The 4-way handshake is probably the most frequently discussed part of 802.11 security. It is defined in Clause 8.5 and involves four EAPOL-Key frames exchanged between the station and the access point after pre-shared key or 802.1X authentication.

The handshake derives the Pairwise Transient Key (PTK) from the Pre-Shared Key (or PMK from 802.1X), two nonces (ANonce from the AP, SNonce from the station), and the MAC addresses of both parties. The key derivation uses a Pseudo-Random Function (PRF) defined in the standard.

This is why handshake capture matters for security testing: if you have the PSK and capture the 4-way handshake, you can derive the PTK and decrypt the session. If you only have the handshake without the PSK, you can attempt offline dictionary attacks against the PSK. The BLEShark Nano's handshake capture feature saves these EAPOL frames in PCAP format for exactly this kind of analysis.

WPA3-Personal replaces the PSK model with SAE, which uses a Dragonfly key exchange (defined in Clause 12.4, with the cryptographic primitives in RFC 7664). SAE provides forward secrecy and resistance to offline dictionary attacks, which means capturing the SAE handshake does not enable the same kind of brute-force attack that works against WPA2-PSK.

Reading the Standard Effectively

Nobody reads all 4,000 pages. The practical approach is to use the standard as a reference, not a textbook.

Start with Clause 4 for the big picture. When you encounter something specific - say, you want to understand what the RSN Information Element in a beacon frame contains - go to Clause 9.4.2.25 (RSN element definition) and read that section. Use the PDF search function aggressively. The standard is heavily cross-referenced, so following the "see Clause X.Y.Z" pointers will take you to related definitions.

The standard uses defined terms precisely. A "station" (STA) is any device with an 802.11 MAC and PHY. An "access point" (AP) is a station that provides access to the distribution system. A "BSS" (Basic Service Set) is the set of stations controlled by a single coordination function. These terms appear thousands of times in the document, and understanding them makes everything else clearer.

If you find the standard overwhelming, start with Clause 4 and Clause 8. Between those two clauses, you get the architecture and all the security mechanisms. That is roughly 200 pages out of 4,000 - a much more manageable scope.

IEEE 802.11-2020 is available for free download through IEEE Xplore. The BLEShark Nano works with 2.4 GHz 802.11b/g/n networks - all defined within this standard.