Fast roaming

By operating authentication according to the IEEE 802.1X standard and key management according to the IEEE 802.11i standard, modern WLAN installations offer a high degree of security and confidentiality for the transmitted data. However, these standards require transmission of additional data packets during the connection negotiation as well as additional computing power on the client and server.

The original IEEE 802.11 only required up to six data packets to establish a data connection between a WLAN client and an AP. The standard extension IEEE 802.11i improved on weak points of WEP encryption; however, depending on the authentication method, it substantially increased the length of the login process.

This extra time for the WLAN client to login to the AP is not a problem for non-time-critical applications. However, for smooth, loss-free roaming of a WLAN client from one AP to the next (as required, for example, for Voice-over-IP applications or in industrial, real-time environments), a delay of more than 50 ms is not acceptable.

Methods such as pair-wise master key caching (PMK caching), pre-authentication, opportunistic key caching (OKC) and the use of central WLCs for key management improve the time for the key negotiation between the WLAN client and AP during login. Despite this, the comparatively long time required for key negotiation between the WLAN client and the AP has still not been reduced to a viable extent.

Along with the improved encryption protocols, IEEE 802.11e makes it possible to reserve additional bandwidth with the AP. This allows the WLAN client to prevent interruptions, for example for VoIP connections at times of high network loads at the AP. For roaming from one AP to the next, the WLAN client must again reserve this additional bandwidth on the new AP. However, the additional management frames required for this considerably increase the login time.

The IEEE 802.11r standard provides a simplified authentication process for mobile WLAN clients to roam trouble-free from one AP to the next. The goal is to once again reduce the number of data packets for the login on the AP to the four to six packets known from 802.11.

Similar to opportunistic key caching (OKC), a centralized key management (preferably by a WLC) supplies the APs connected to it with the credentials of the WLAN clients. In contrast to OKC, the WLAN client performing fast roaming can detect whether the AP supports IEEE 802.11r

APs managed by the WLC transmit the mobility domain information element (MDIE) to inform the WLAN clients about which "mobility group" the AP belongs to, among other things. Based on this information, the WLAN client detects whether it belongs to the same domain and can therefore authenticate without delay. This mobility domain is announced to a WLAN client the first time it authenticates at an AP.

The domain identifier and other special keys generated during the initial authentication and transmitted to all managed APs now reduce the stages of negotiation to the desired four to six steps when authenticating at a new AP.

To avoid futile and thus time-wasting login attempts with expired PMKs, IEEE 802.11r provides additional information about the validity periods of keys. In this manner, the client negotiates a new PMK while connected to the current AP. This is also valid on the AP that the WLAN client wants to connect to next.

Additionally, IEEE 802.11r uses "resource requests" to reserve additional bandwidth on the new AP, so that there is no need to cause added delay by transferring unnecessary data packets during the IEEE 802.11e authentication.

Note: Older WLAN clients may have trouble establishing a connection to an SSID with enabled 802.11r. Therefore, it is advisable to use two SSIDs here: One SSID for older clients without 802.11r support and another SSID with enabled 802.11r for clients that support 802.11r.

Fast roaming is setup in LANconfig under Wireless LAN > General > Logical WLAN settings > Encryption > WPA2/3 key management.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo