802.11r Fast Transition Roaming

802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the re-association request or response exchange with the new target AP. The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring re-authentication at every AP. 802.11r eliminates much of the handshaking overhead while roaming, thus reducing the handoff times between APs while providing security and QoS. This is useful for client devices that have delay-sensitive applications such as voice and video and is the key requirement for voice over Wi-Fi.

This chapter includes the following topics:

How a Client Roams

For a client to move from its current AP to a target AP using the FT protocols, the message exchanges are performed using one of the following two methods:
  • Over-the-Air FT Roaming
  • Over-the-DS (Distribution System) FT Roaming
  • Over-the-Air: The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm.
    Figure 1. Fast BSS Transition Over-the-Air in RSN

  • Over the DS: The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the controller.
    Figure 2. Fast BSS Transition Over the DS in RSN



Over the Air Intra Controller Roam

The following steps describe the message exchange in the case where a client is roaming between APs, AP1, and AP2, connected to the same controller:
  1. Client is associated with AP1 and wants to roam to AP2.
  2. Client sends an FT Authentication Request to AP2 and receives FT Authentication Response from AP2.
  3. Clients sends a Reassociation Request to AP2 and receives a Reassociation Response from AP2.
  4. Client completes its roam from AP1 to AP2.
Figure 3. Over the Air Intra Controller Roam

Over the Air Inter Controller Roam

The following steps describe the message exchange in the case where a client is roaming between APs, AP1, and AP2, connected to different controllers, WLC1 and WLC2 respectively, within a mobility group:
  1. Client is associated with AP1 and wants to roam to AP2.
  2. Client sends FT Authentication Request to AP2 and receives FT Authentication Response from AP2.
  3. Pairwise Master Key (PMK) is sent from WLC-1 to WLC-2. WLC-1 sends a mobility message to WLC-2 about the roaming client using the mobility infrastructure.
  4. Client completes its roam from AP1 to AP2.
Figure 4. Over the Air Inter Controller Roam

Over-the-DS Intra Controller Roam

The following steps describe the message exchange in the case where a client is roaming between APs, AP1, and AP2, connected to the same controller:
  1. Client is associated with AP1 and wants to roam to AP2.
  2. Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
  3. The APs are connected to same controller, hence the pre-Authentication information is sent from the controller to AP2.
  4. Client sends a Reassociation Request to AP2 and receives a Reassociation Response from AP2.
  5. Client completes its roam from AP1 to AP2.
Figure 5. Over the DS Intra Controller Roam

Over-the-DS Inter Controller Roam

The following steps describe the message exchange in the case where a client is roaming between APs, AP1, and AP2, connected to different controllers, WLC1 and WLC2 respectively, within a mobility group:
  1. Client is associated with AP1 and wants to roam to AP2.
  2. Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
  3. PMK is sent from WLC-1 to WLC-2 . Controller WLC-1 sends a mobility message to WLC-2 about the roaming client.
  4. Client completes its roam from AP1 to AP2.
Figure 6. Over the DS Inter Controller Roam

Web UI Configuration for Fast Transition Roaming

802.11r fast transition roaming can be configured using the WLAN GUI:
  1. Choose WLAN > Security > Layer2. Make sure that Layer 2 Security is WPA+WPA2 or Open.
  2. Check the Fast Transition checkbox. This will enable Over the Air FT for the WLAN.
  3. To enable Over the DS FT, check the Over the DS checkbox.
  4. Reassociation Timeout can be configured between 1-100 seconds, the default being 20 seconds. The time between FT Authentication Request and Re-association Request must not exceed the Re-association Timeout.
Figure 7. 802.11r Web UI Configuration

CLI Configuration for Fast Transition Roaming

The following command is available under the WLAN configuration to configure Fast Transition Roaming: 
security ft [ over-the-ds | reassociation-timeout timeout-in-seconds]

Example: 

Controller(config-wlan)# security ft reassociation-timeout 23
  • over-the-ds: Enables 802.11r fast transition parameters over a distributed system.
  • reassociation-timeout: Enables 802.11r fast transition reassociation timeout. The range is 1 to 100 seconds.
WLAN configuration also contains a new Authenticated Key Management (AKM) type called FT (Fast Transition). 
Controller(config-wlan)#security wpa akm ft ?
  dot1x    Configures 802.1x support
  psk      Configures PSK support

Monitoring 802.11r

show wlan name wlan-name

Displays the WLAN parameters on the WLAN. The FT parameters are displayed.

Example: 

FT Support              :Enabled   
FT Reassociation Timeout  :10
FT Over-The-DS mode       :Enabled

Troubleshooting Support

Controller#debug dot11 dot11r ?
  all     all
  events  802.11r event
  keys    802.11r keys

Controller#set trace dot11 dot11r ?
  event   802.11r event debugging
  filter  Trace Adapted Flag Filter
  keys    802.11r keys debugging
  level   Trace Level

Limitations

  • Supported only on OPEN and WPA2 WLANs.
  • Non 802.11r client cannot associate to WLAN which has 802.11r enabled.
  • This feature will not be supported with LEAP because LEAP only comes up with a 32 byte MSK and other EAP types come up with a 64 byte MSK.
  • The domain of 802.11r is confined to the Mobility Group.
  • FT Resource request protocol will not be supported in this release because clients also do not have this support.
  • Each controller will allow a maximum of 3 FT handshakes with different APs under its control.