By operating authentication according to the IEEE 802.1X standard and key management according to the IEEE 802.11i standard, modern WLAN installations offer a high degree of security and confidentiality for the transmitted data. However, these standards require transmission of additional data packets during the connection negotiation as well as additional computing power on the client and server.
Currently, WLAN devices have hardware accelerators, which perform the real-time encryption and decryption of payload data during a connection without noticeable delays or conspicuous network loading. In the meantime, because sufficient computing power is available, the creation of keys on the client side no longer causes any noticeable delays.
The delays when connecting via EAP/802.1X or WPA are therefore mostly related to the time that the client and server require to negotiate the security protocol during login.
The original IEEE 802.11 only required up to six data packets to establish a data connection between a WLAN client and an access point. The standard extension IEEE 802.11i improved on weak points of WEP encryption; however, depending on the authentication method, it substantially increased the length of the login process.
This extra time for the WLAN client to login to the access point is not a problem for non-time-critical applications. However, for smooth, loss-free roaming of a WLAN client from one access point to the next (as required, for example, for Voice-over-IP applications or in industrial, real-time environments), a delay of more than 50 ms is not acceptable.
Methods such as pair-wise master key caching (PMK caching), pre-authentication, opportunistic key caching (OKC) and the use of central WLAN controllers for key management improve the time for the key negotiation between the WLAN client and access point during login. Despite this, the comparatively long time required for key negotiation between the WLAN client and the access point has still not been reduced to a viable extent.
Along with the improved encryption protocols, IEEE 802.11e makes it possible to reserve additional bandwidth with the access point. This allows the WLAN client to prevent interruptions, for example for VoIP connections at times of high network loads at the access point. For roaming from one access point to the next, the WLAN client must again reserve this additional bandwidth on the new access point. However, the additional management frames required for this considerably increase the login time.
The IEEE 802.11r standard provides a simplified authentication process for mobile WLAN clients to roam trouble-free from one access point to the next. The goal is to once again reduce the number of data packets for the login on the access point to the four to six packets known from 802.11.
Similar to opportunistic key caching (OKC), a centralized key management (preferably by a WLAN controller) supplies the access points connected to it with the credentials of the WLAN clients. In contrast to OKC, the WLAN client performing fast roaming can detect whether the access point supports 802.11r
Access points managed by the WLAN controller transmit the mobility domain information element (MDIE) to inform the WLAN clients about which "mobility group" the access point belongs to, among other things. Based on this information, the WLAN client detects whether it belongs to the same domain and can therefore authenticate without delay. This mobility domain is announced to a WLAN client the first time it authenticates at an access point.
The domain identifier and other special keys generated during the initial authentication and transmitted to all managed access points now reduce the stages of negotiation to the desired four to six steps when authenticating at a new access point.
To avoid futile and thus time-wasting login attempts with expired PMKs, IEEE 802.11r provides additional information about the validity periods of keys. In this manner, the client negotiates a new PMK while connected to the current access point. This is also valid on the access point that the WLAN client wants to connect to next.
Additionally, IEEE 802.11r uses "resource requests" to reserve additional bandwidth on the new access point, so that there is no need to cause added delay by transferring unnecessary data packets during the IEEE 802.11e authentication.
Note: Older WLAN clients may have trouble establishing a connection to an SSID with enabled 802.11r. Therefore, it is advisable to use two SSIDs here: One SSID for older clients without 802.11r support and another SSID with enabled 802.11r for clients that support 802.11r.
Fast roaming is setup in LANconfig under .
