- Roaming – Reassociation service btw. a client and multiple BSS
- A client always makes the roaming decision (reassociation) based on RSSI threshold or SNR by sending a “reassociation request” frame
- iPhone roaming threshold: -70 dBm, 12 dB differential when not transmitting, 8 dB differential when transmitting
- VoWiFi handoff requirement – 150 milliseconds
- 802.1X authentication – 700 milliseconds, which mandates a fast roaming service
Fast roaming standards
- 802.11i – Pre-authentication, PMK Caching
- Proprietary – Opportunistic Key Caching
- 802.11r – Fast BSS Transition
AP-to-AP Handoff
- Client sends the reassociation frame to the target AP
- The target AP informs the original AP that the client station is roaming
- The target AP requests the client’s buffered packets from the original AP
- The original AP sends the buffered packets
- The target AP sends reassociation response
PMKSA and PMKID
- PMK – from 802.1X/EAP or PSK
- PMKSA – Successful authentication of 802.1X/EAP, PSK, SAE, or a cached PMK will result in a PMKSA
- PTKSA – Successful handshake and creation of PTK will result in a PTKSA
-
RSNIE – Some 802.11 management frames have RSN Information Element
- Beacon (sent by AP)
- Probe response (sent by AP)
- Association request (sent by client)
- Reassociation request (sent by client)
-
Reassociation response (sent by AP) when 802.11r is enabled
-
PMKID – unique id for every PMKSA found inside RSNIE of association request and reassociation request
- PMK-R0: SA derived from FT initial mobility association
-
PMK-R1: SA derived from FT initial mobility association or a fast BSS transition
-
PMKSA Components:
- PMK
- PMKID
- Authenticator MAC
- Lifetime – infinite, unless specified
- AKMP
-
Authorization Parameters – Anything specified by the AS or supplicant (like SSID)
-
Without any fast roaming methods used, 802.1X/EAP will require a reauthentication with a 4-way handshake and creation of a new PMKSA every time the client roams. This causes VoWiFi handoff issues as 802.1X authentication takes 700 ms whereas voice handoff requires 150 ms or less (50 ms ideal).
-
To avoid this, 802.11-2012 has specified 3 fast roaming techniques:
- PMK Caching
- Pre-authentication
- Fast BSS transition
PMK Caching (Fast secure roam-back)
- When a client roams to a new AP, the original AP retains the original PMK and when the client roams back to it another time, it can skip the 802.1X/EAP process of generating a new PMK. It will still need to do 4-way handshake to create a new PTK.
- The RSN information of the client’s reassociation frame will have multiple PMKIDs.
- In this case, the roaming handoff is usually 40-60 ms
- This method doesn’t address roam forward to a new AP
- Not scalable
Preauthentication
- A client can establish a new PMKSA with an AP prior to roaming to that AP by initiating a new 802.1X/EAP authentication to create a new PMK while still associated to the original AP
- When the client roams, the target AP will have a PMK for that association and directly proceed to 4-way handshake process
- The RSN information of the AP’s probe response will have “supports pre-authentication” field enabled
- The RSN information of the client’s reassociation frame will have multiple PMKIDs.
- No reduction in RADIUS server load
-
Not scalable
Opportunistic Key Caching (OKC)
- Not part of 802.11i standard – vendor proprietary enhancement of PMK Caching
- Solves the forward roaming issue of PMK Caching
- Single cached PMK is shared among multiple APs (in the same zone) managed by a centralized controller/AP
- Better than PMK Caching as it supports forward roaming to a new AP by reusing the same PMK
- Client calculates a new PMKID using the original PMK from the first AP, target AP’s MAC address, and it’s MAC address -> reassociation request
- Target AP calculates the PMKID using shared PMK from the first AP, it’s MAC address, and the client’s MAC address -> reassociation response
- PMKID = Keyed-Hash Message Authentication Code/HMAC-SHA1-128 (PMK, PMK Name, AA, SPA)
- 802.1X/EAP authentication is skipped on all APs except the first one – reduces the load on the RADIUS server
- Supported by Microsoft, MacBook (not on iPhone), and some Android devices
Fast BSS Transition (FT)
- 802.11r-2008 amendment part of 802.11-2012 standard
- Similar method to OKC, but as it is a standard, full key hierarchy is defined
- FT operates within a mobility domain (set of APs sharing a SSID)
- Most efficient fast roaming method, but not widely supported by clients
- Legacy client drivers might have difficulty in process the 802.11r info like MDIE, FTIE (consider a separate SSID for FT)
-
Supported by voice enterprise certifications
Three-level key hierarchy
- PMK-R0 – First time a client connects to an AP, 802.1X/EAP process creates a Master Session Key (MSK), which seeds the first-level PMK called PMK-R0
- PMK-R1 – Second-level key
-
PTK – Third -level key, which is the actual encryption key
Key Holder Role
- Controller – PMK-R0 holder (R0KH) – in case of controller-less architecture, the first AP stores it
- Access Points – PMK-R1 holder (R1KH) – each AP has an unique PMK-R1. This is used to derive an unique PTK for each AP.
- Client Station – PMK-S0 key holder (S0KH) – equivalent of PMK-R0
- Client Station – PMK-S1 key holder (S1KH) – equivalent of PMK-R1
Client stations caches PMK-R0 from the controller and PMK-R1s from all APs in a mobility domain.
Mobility Domain Information Elements (MDIE)
- Shows the existence of a mobility domain as well as FT
- MDID – unique ID of a group of APs that form a mobility domain (0x34ac in the example below)
-
FT Capability and Policy – show if over-the-air or over-the-DS FT is being performed
Fast BSS Transition Information Element (FTIE)
- Information needed to perform FT authentication sequence
- Does a 4-way handshake similar to RSNA – generates PTK, GTK keys to open the controlled port -> only for the first association
- Difference is the additional fields such as MDIE, FDIE, PMKR1 communicated in the handshake process
-
FT initial mobility domain association – first AP association for the client in this mobility domain after the 4-way handshake (picture below)
Over-the-Air Fast BSS Transition
- All frames including authentication and reassociation sent over the air during roaming
- Combines standard 802.11 authentication and reassociation frames within the 4-way handshake to reduce the latency (compare with picture above)
- 4 fewer frames are needed when a client roams compared to the non-FT roaming
- FTAA – FT authentication algorithm
- PMK-R1 of the new AP is used as the seeding material to create PTK
-
If supported, PSK will use over-the-air method
Over-the-DS Fast BSS Transition
- Uses FT action frames to complete the authentication and PTK creation through wired 802.3 infrastructure via original AP
- Reassociation request and response after authentication is sent over air
- PMK-R1 of the new AP is used as the seeding material to create PTK
-
Optional – supported by a few manufacturers
802.11k
- Radio Resource Management (RRM) – enables radios to better understand the RF environment
- Associated AP sends a neighbor report, which is used by clients to make roaming decisions
- Speed up client’s search for nearby APs that are available as roaming targets by creating an optimized list of channels
- Works in conjunction with 802.11r to speed up the scanning process
- Delivered inside 802.11 Action frames
- Information delivered: BSSID of neighbor AP, mobility domain, QOS, Automatic power save delivery, radio measurement, BlockAck method, security, channel number, PHY type
- Will work only if supported by clients and APs (Iphones support it)
802.11v
- Wireless Network Management (WNM) – exchanges info about surrounding network conditions
- Information delivered: BSS max idle time, BSS transition mechanism (shares info about AP load), channel usage, event reporting, location services, proxy ARP, SSID list
- Provides a method for the access point to initiate a roaming event instead of waiting for the client device to make that decision.
Voice Enterprise
- Wi-Fi alliance certification that defines enhanced support for voice applications in enterprise
- Many aspects of 802.11k, 802.11v, and 802.11r are tested
- Expectations – voice quality and data traffic coexistence
- Features – WMM (QOS), WMM-admission control (bandwidth management), seamless roaming (802.11r), network measurement (802.11k), network management (802.11v), battery life (WMM-PS)
- If enabled on WLANs, it will cause issues with legacy voice devices (separate SSID)
- Client devices manufactured before 2012 – will not support 802.11 kvr
-
Requirements:
- Latency – one way delay < 50 ms
- Jitter – < 50 ms
- Packet loss – <1%
Layer 3 roaming
- Roaming across L3 boundaries (different VLANs/Subnets) will end up in a client IP address change
- This will end up in VoIP phone disconnect
- Resolution – Mobile IP standard of using a IP tunnel
Troubleshooting
- PSK – passphrase mismatch, PMK not properly created, 4-way handshake fails
- Roaming – driver issue, method supported on client, sticky client (primary vs. secondary coverage), L3 roaming
- AP config – hidden nodes, mismatch power