Wi-Fi is a Passion


Designing for roaming

There are three types of roaming ways:
- Layer 2 roaming across access points with one or no controller (intracontroller roaming)
- Layer 2 roaming across access points with separate controllers (intercontroller roaming)
- Layer 3 roaming
With layer 2 roaming, the IP connection is not lost and is typically less than 40 milliseconds. With layer 3 roaming, the client will get a new IP address so that means that the connection will be lost. The 802.11 standards do not define how the communication must occur within the infrastructure during roaming, only what should take place when roaming happens. For fast secure roaming, the cells of the access points must overlap 15 to 30 percent. It is hard to measure this, so at all locations there should be at least two access points visible for real-time devices. Roaming is only for moving to new access points—for moving within one cell of an access point, roaming is not required. There are different types of roaming solutions and they are all explained in-depth in my CWSP study blogs.

Pre-authentication: 802.11X/EAP is performed before the client roams to a new access point. It is done over the Ethernet to all the access points that the current access points hear. The advantages are:
- Standardized by IEEE
- Supported on any WLAN architecture
- Prior to roaming
The disadvantages are:
- Still requires 802.1X/EAP
- Not scalable
- Access points where the client never roams to have the pre-authentication also

PMK Caching: the PMK is cached on the access point. This is called a slow-roams forward, because every time the client connects to a new access point the client goes through the whole 802.1X/EAP process. However, when the client moves back, the PMK is cached and the 802.1X/EAP process can be skipped. The advantages are:
- Standardized by IEEE
- Supported on any WLAN architecture
- No traffic overhead
The disadvantages are:
- Fast roaming only to already connected access points
- The 802.1X/EAP is still required for new access points

Opportunistic Key Caching (OKC) is not defined in an 802.11 standard, though it has some commonality with 802.11r, that will be discussed next. The PMK and the PMKID are retrieved on the new access point by the initial access point that the client is associated with. An algorithm is used on the station and the controller to compute a unique PMKID that is passed to each access point. The advantages are:
- Good solution until 802.11r is available
- Scales well
- Needs only one single 802.1X/EAP authentication
The disadvantages are:
- Not a standard
- Not a lot of clients that support it
- Not compatible with a lot of vendors

802.11r is an amendment that defines fast secure roaming that defines two new PMK keys, PMK-R0 and PMK-R1. The PMK-R0 is at the wireless controller and PMK-R1 is at the access points, and this key is derived from the PMK-R0. So, there is only one PMK created for the authentication session. The advantages are:
- Standard based fast roaming
- Voice-Enterprise certification requires 802.11r
- Most efficient method
The disadvantages are:
- Adopted slow to the market
- Many new terms and requires enhanced education.