Authentication of wireless clients using EAP and 802.11X has become standard in corporate networks, and these methods are becoming even more widespread with the integration of the Hotspot 2.0 specification for public Internet access. The disadvantage of 802.11X authentication is the significantly longer time between login and connection, because up to twelve data packets have to be exchanged between the WLAN client and the access point. For most applications, which are all about data exchange, this may not be particularly important. However, for time-critical applications such as Voice over IP, it is important that the authentication at neighboring WLAN radio cells does not affect communication.
To counteract this, authentication strategies such as PMK caching and pre-authentication have become established, although pre-authentication does not fix all of the problems. On the one hand, there is no guarantee that the WLAN client can recognize whether the access point can perform pre-authentication. On the other hand, pre-authentication causes considerable load on the RADIUS server, which needs to handle the authentication of all clients and all access points in the WLAN.
Opportunistic key caching delegates the key management to a WLAN controller, or to a central switch, which manages all of the access points in the network. If a client logs on to an access point, the WLAN controller behind it works as an authenticator to manage the keys and send the PMK to the access point, which is ultimately received by the client. If the client moves to another cell, it uses this PMK and the MAC address of the new access point to calculate a PMKID. It then send this to the new access point in the hope that OKC is enabled there (therefore "opportunistic"). If the access point cannot handle the PMKID, then it negotiates an 802.11X authentication with the client in the usual manner.
A LANCOM access point can even perform OKC if the WLAN controller is temporarily unavailable. In this case, it stores the PMK and sends this to the WLAN controller when it becomes available again. Ultimately it sends the PMK to all of the access points in the network, which allows clients to use OKC to login after a change of radio cell.
