802.11r Fast Transition Roaming
802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the re-association request or response exchange with the new target AP. The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring re-authentication at every AP. 802.11r eliminates much of the handshaking overhead while roaming, thus reducing the handoff times between APs while providing security and QoS. This is useful for client devices that have delay-sensitive applications such as voice and video and is the key requirement for voice over Wi-Fi.
This chapter includes the following topics:
- How a Client Roams
- Over the Air Intra Controller Roam
- Over the Air Inter Controller Roam
- Over-the-DS Intra Controller Roam
- Over-the-DS Inter Controller Roam
- Web UI Configuration for Fast Transition Roaming
- CLI Configuration for Fast Transition Roaming
How a Client Roams
- Over-the-Air FT Roaming
- Over-the-DS (Distribution System) FT Roaming
- Over-the-Air: The client
communicates directly with the target AP using IEEE 802.11 authentication with
the FT authentication algorithm.
Figure 1. Fast BSS Transition Over-the-Air in RSN - Over the DS: The client
communicates with the target AP through the current AP. The communication
between the client and the target AP is carried in FT action frames between the
client and the current AP and is then sent through the controller.
Figure 2. Fast BSS Transition Over the DS in RSN
Over the Air Intra Controller Roam
Over the Air Inter Controller Roam
- Client is associated with AP1 and wants to roam to AP2.
- Client sends FT Authentication Request to AP2 and receives FT Authentication Response from AP2.
- Pairwise Master Key (PMK) is sent from WLC-1 to WLC-2. WLC-1 sends a mobility message to WLC-2 about the roaming client using the mobility infrastructure.
- Client completes its roam from AP1 to AP2.
Over-the-DS Intra Controller Roam
- Client is associated with AP1 and wants to roam to AP2.
- Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
- The APs are connected to same controller, hence the pre-Authentication information is sent from the controller to AP2.
- Client sends a Reassociation Request to AP2 and receives a Reassociation Response from AP2.
- Client completes its roam from AP1 to AP2.
Over-the-DS Inter Controller Roam
- Client is associated with AP1 and wants to roam to AP2.
- Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
- PMK is sent from WLC-1 to WLC-2 . Controller WLC-1 sends a mobility message to WLC-2 about the roaming client.
- Client completes its roam from AP1 to AP2.
Web UI Configuration for Fast Transition Roaming
- Choose WLAN > Security > Layer2. Make sure that Layer 2 Security is WPA+WPA2 or Open.
- Check the Fast Transition checkbox. This will enable Over the Air FT for the WLAN.
- To enable Over the DS FT, check the Over the DS checkbox.
- Reassociation Timeout can be configured between 1-100 seconds, the default being 20 seconds. The time between FT Authentication Request and Re-association Request must not exceed the Re-association Timeout.
CLI Configuration for Fast Transition Roaming
security ft [ over-the-ds | reassociation-timeout timeout-in-seconds] Example: Controller(config-wlan)# security ft reassociation-timeout 23 |
Controller(config-wlan)#security wpa akm ft ? dot1x Configures 802.1x support psk Configures PSK support
Monitoring 802.11r
show wlan name wlan-name |
Displays the WLAN parameters on the WLAN. The FT parameters are displayed. Example: FT Support :Enabled FT Reassociation Timeout :10 FT Over-The-DS mode :Enabled |
Troubleshooting Support
Controller#debug dot11 dot11r ? all all events 802.11r event keys 802.11r keys
Controller#set trace dot11 dot11r ? event 802.11r event debugging filter Trace Adapted Flag Filter keys 802.11r keys debugging level Trace Level
Limitations
- Supported only on OPEN and WPA2 WLANs.
- Non 802.11r client cannot associate to WLAN which has 802.11r enabled.
- This feature will not be supported with LEAP because LEAP only comes up with a 32 byte MSK and other EAP types come up with a 64 byte MSK.
- The domain of 802.11r is confined to the Mobility Group.
- FT Resource request protocol will not be supported in this release because clients also do not have this support.
- Each controller will allow a maximum of 3 FT handshakes with different APs under its control.