Saturday, October 6, 2012

How Roam , PMK caching, OKC and Pre-auth works

In this topic we can cover below points

1. What is Wi-Fi roaming and why it requires ?
2. Different infrastructures where roam can happen.
3. Different ways of handling roaming

1. What is Wi-Fi roaming and why it requires ?

As everybody is using the mobile, roaming will happen seamlessly between cell towers when we are moving 
on different ways like cars, trains and buses. So that our call won't cut in between. Similar be the case
with Laptops and Smart phones where we connected to the network through Wi-Fi. We may be downloading some movie
or game or talking on Skype through Wi-Fi .We  need fast transition to move from one AP to another without users

Days are coming soon where everybody will use Skype with video call by using Wi-fi. Already some of countries implemented Wi-Fi for entire city there we can use Wi-Fi like our Cell towers. 

2. Different infrastructures where roam can happen.

Roaming will happen whenever we roam from coverage area of one AP to coverage area of another AP in the ESS. As we know BSS is the coverage area of single AP like below picture.

Fig :1

ESS is the coverage area of Two or more APs which have same SSID so that clients can able to roam between those APs without disconnecting the network like below pic.

      Fig : 2

So from the above discussion we understand that roaming will happen whenever we have ESS. The ESS roaming can happened in different ways like below.

a. Roaming between two Independent APs( Autonomous APs like above Fig :2)

b. Roaming between two APs under the controller (Thin APs)

c. Roaming between two APs which under two different controllers.

3. Different ways of handling roaming

Usually if we use open authentication without any security there is no much delay in connecting.
But in practical we will use different authentication methods to protect the our network.So it will take some time to complete the authentication which will cause some delay in re-connecting. So we are using diffrent Technics to overcome those. whenever we roam our client from one AP to another AP re-Association will happen. 

Re-association can happen in 4 different ways

a. Full dot1x authentication with new AP
b. PMK caching
c. Pre-authentication
d. Opportunistic Key caching (OKC)

a. Full dot1x authentication with new AP

Whenever we roam from one AP to another new AP first time it will do the complete 802.1x process like below.

But time critical applications  like Voice and Video make disturb as dot1x process considerable amount of time while re-connecting the network.

b. PMK caching

  • Usually whenever we connect any AP with any dot1x method or PSK we will derive the PMK and followed by PMKSA.
  • In PMK caching whenever we connect to any AP we save the PMKSA (PMKID is part of PMKSA) as per life time.

Later point of time if we are trying to connect to the same AP(BSSID) we will check whether PMKSA of that AP is available in the client cache . 

  • If it is available we send that PMKSA in the re-association request.
  • Then AP will check PMK cache of AP ,if it is avilable then without going to the dot1x process again it will go the direct first step of 4-way handshake. 
  • So that considerable amount of time will be saved in re-connecting the AP.

c. Pre-authentication

  • In Pre-authentication Client will Authenticate to the other APs which are in the ESS even client is not assosiated with those APs and Client even may be in the APS coverage area. 
  • So that whenever it went to that APs coverage area client can skip the dot1x process and continue the 4-way handshake process. 

  • In pre-authentication client will authenticate other Aps through the AP which is currently connected. whenever client send EAPOl request current AP will forward the request to the targeted AP through distribution system.
  • For identifying these frames client will send in ETHER TYPE 88-C7 instead of 88-8E. For pre-authentication to happen both client and AP have to support pre-authentication. That we can see in the beacon frame of the AP.

d. Opportunistic Key caching (OKC)

  • Opportunistic Key caching (OKC) is supported by only few vendors  like Aruba and Motorola.
  • Opportunistic Key caching (OKC) will happen with controller based infrastructure rather than autonomous APs.
  •  controller based infrastructure will work in split-MAC architecture where some of part of operations handled at  AP and some Part of operations handled at controller.
  •  In this whenever client completes dot1x process with AP1 of the controller both client and AP1 have pmkid1 . 
  •  So this pmkid1 will be forwaded to the controller .
  •  Controller will forward the pmkid1 to the other APs in  the network under that controller.
  •  For deriving the PMMID2 with second AP AP2 client will use the formula for calculating the PMKID.
  •  PMKID=HMAC-SHA1-128(PMK,"PMK name"||AA||SPA).

  •  So whenever it is roaming to the second AP it already have PMKID2 for the second AP. 
  • As second AP already have  PMKID2 through controller by using same formula. It will check the client PMKID2 with its PMKID2. 
  • If it is  matches it will skip dot1x process and go the first step of the 4-way handshake process.


  1. Good Job... The information is great and very crisp...
    It would be of great favor if you clear few of my doubts:
    1. I understand that when the first roam takes place, a full 802.1x authentication takes place. Later, when it roams back, only the PMK is used in re-assoc frame and through that the authentication takes place.
    So the client maintains 2 different PMK for AP1 and AP2???

    2.I did not understand how does the client gets the PMKID for second AP

  2. HI Pavan,

    answers to your questions
    1. It will maintain 2 different PMKSAs for AP1 and AP2. PMKSA contain different entities like PMKIDs, Authenticator MAC address , life time and AKMP
    2.This will be applicable only in OKC . As i mentioned there it will use the formula to calculate that as it is controller based system.

    PMKID=HMAC-SHA1-128(PMK,"PMK name"||AA||SPA).

  3. Hi, It is a Good post,

    Can you please tell me which one offers better roaming.

    Is it pre authentication method or OKC?


  4. OKC is Better method for fast roaming.But this is applied for only unified infrastructure

  5. Hi nagababu,

    PMKID=HMAC-SHA1-128(PMK,"PMK name"||AA||SPA)

    in this formula
    HMAC is hardware mac of cl/ap
    SHA1 is ???
    128(PMK,"PMK name"||AA||SPA) is ?????

    will u plz explain this...

    1. HMAC is hash message authentication code
      please read below for complete

  6. Hi,
    good post thank you...


  7. hi All,

    for WLAN testing which is the good compnay

    1. go for good product based company .

  8. You will find a lot of approaches after visiting your post.Thanks for sharing the such information with us to read this...

    girls dresses

  9. This comment has been removed by a blog administrator.