In conventional WLANs, APs advertise their presence by sending out Beacon frames which include their SSID and BSSID. Prior to association, clients gather information about the APs by scanning the channels one by one, and listening for Beacons on each channel. This is called ``passive scanning''. The clients also perform ``active scanning'', whereby they send out a Probe Request frames on each channel. These are requests for APs to send out information about themselves. APs respond to Probe Requests with Probe Response frames, the contents of which are similar to Beacon frames. Once the client gathers information about all APs, it decides which AP to associate with.
The 802.11 standard allows APs to beacon with the SSID field set to null - this is referred to as a hidden SSID. A client that wishes to associate with an AP using a hidden SSID must first send out a Probe Request that contains the SSID of that network, which will then cause the AP to provide a Probe Response. For any client that does not provide the correct SSID, the AP does not respond.
The DC performs association control by exposing DAPs to clients on a ``need to know basis''. This is achieved as follows. First, the passive DAPs (i.e., those that do not have clients associated with them) in the network do not send out any beacons. The active DAPs do send out beacons but with a hidden SSID. Second, each DAP maintains a local access control list (ACL) of client MAC addresses. On receiving a probe request from a client, the DAP replies with a probe response message only if the client's MAC address is in its ACL. If a DAP receives a probe request (it may be a broadcast request) from a client whose MAC address is not in its ACL, it sends a message to the DC informing the controller that a client might be requesting service. The DC determines which, if any, DAP should respond to the probe request and adds the MAC address of the client to the ACL of that DAP.
By adding the MAC address of a client to only one DAP's ACL at a time, the DC ensures that for the SSID associated with the DenseAP network, only one DAP is visible to the client at any given time.
Note that traditional MAC address filtering could not have achieved this. MAC address filtering only prevents association, not probe responses. With traditional MAC address filtering, a client would discover several DAPs, and it may not even try to associate with the one that the DC has chosen for it.
We will now illustrate how these two techniques are used when a client associates with the system for the first time, and handing off a client from one DAP to another.