In this topic we can cover below points
1. What is Wi-Fi roaming and why it requires ?
2. Different infrastructures where roam can happen.
3. Different ways of handling roaming
1. What is Wi-Fi roaming and why it requires ?
As everybody is using the mobile, roaming will happen seamlessly between cell towers when we are moving
on different ways like cars, trains and buses. So that our call won't cut in between. Similar be the case
with Laptops and Smart phones where we connected to the network through Wi-Fi. We may be downloading some movie
or game or talking on Skype through Wi-Fi .We need fast transition to move from one AP to another without users
knowledge.
Days are coming soon where everybody will use Skype with video call by using Wi-fi. Already some of countries implemented Wi-Fi for entire city there we can use Wi-Fi like our Cell towers.
2. Different infrastructures where roam can happen.
Roaming will happen whenever we roam from coverage area of one AP to coverage area of another AP in the ESS. As we know BSS is the coverage area of single AP like below picture.
Fig :1
ESS is the coverage area of Two or more APs which have same SSID so that clients can able to roam between those APs without disconnecting the network like below pic.
So from the above discussion we understand that roaming will happen whenever we have ESS. The ESS roaming can happened in different ways like below.
a. Roaming between two Independent APs( Autonomous APs like above Fig :2)
3. Different ways of handling roaming
Usually if we use open authentication without any security there is no much delay in connecting.But in practical we will use different authentication methods to protect the our network.So it will take some time to complete the authentication which will cause some delay in re-connecting. So we are using diffrent Technics to overcome those. whenever we roam our client from one AP to another AP re-Association will happen.
Re-association can happen in 4 different ways
a. Full dot1x authentication with new AP
b. PMK caching
c. Pre-authentication
d. Opportunistic Key caching (OKC)
a. Full dot1x authentication with new AP
Whenever we roam from one AP to another new AP first time it will do the complete 802.1x process like below.
But time critical applications like Voice and Video make disturb as dot1x process considerable amount of time while re-connecting the network.
b. PMK caching
- Usually whenever we connect any AP with any dot1x method or PSK we will derive the PMK and followed by PMKSA.
- In PMK caching whenever we connect to any AP we save the PMKSA (PMKID is part of PMKSA) as per life time.
Later point of time if we are trying to connect to the same AP(BSSID) we will check whether PMKSA of that AP is available in the client cache .
- If it is available we send that PMKSA in the re-association request.
- Then AP will check PMK cache of AP ,if it is avilable then without going to the dot1x process again it will go the direct first step of 4-way handshake.
- So that considerable amount of time will be saved in re-connecting the AP.
c. Pre-authentication
- In Pre-authentication Client will Authenticate to the other APs which are in the ESS even client is not assosiated with those APs and Client even may be in the APS coverage area.
- So that whenever it went to that APs coverage area client can skip the dot1x process and continue the 4-way handshake process.
- In pre-authentication client will authenticate other Aps through the AP which is currently connected. whenever client send EAPOl request current AP will forward the request to the targeted AP through distribution system.
- For identifying these frames client will send in ETHER TYPE 88-C7 instead of 88-8E. For pre-authentication to happen both client and AP have to support pre-authentication. That we can see in the beacon frame of the AP.
d. Opportunistic Key caching (OKC)
- Opportunistic Key caching (OKC) is supported by only few vendors like Aruba and Motorola.
- Opportunistic Key caching (OKC) will happen with controller based infrastructure rather than autonomous APs.
- controller based infrastructure will work in split-MAC architecture where some of part of operations handled at AP and some Part of operations handled at controller.
- In this whenever client completes dot1x process with AP1 of the controller both client and AP1 have pmkid1 .
- So this pmkid1 will be forwaded to the controller .
- Controller will forward the pmkid1 to the other APs in the network under that controller.
- For deriving the PMMID2 with second AP AP2 client will use the formula for calculating the PMKID.
- PMKID=HMAC-SHA1-128(PMK,"PMK name"||AA||SPA).
- So whenever it is roaming to the second AP it already have PMKID2 for the second AP.
- As second AP already have PMKID2 through controller by using same formula. It will check the client PMKID2 with its PMKID2.
- If it is matches it will skip dot1x process and go the first step of the 4-way handshake process.