INTRODUCTION The 802.11r Fast Transition (FT) Roaming is an amendment to the 802.11 IEEE standards. It is a new concept for roaming. The initial handshake with the new Access Point (AP) occurs before client roams to the target AP, called as Fast Transition (FT). Initial handshake allows the client and AP’s to do Pairwise Master Key (PMK) calculation in advance. Once the client performs the re-association request or response exchange with the new AP, the PMK keys are applied to the client and AP. The FT key hierarchy allows clients to make fast Base Station Subsystem (BSS) transitions between AP’s without the need for re-authentication at every AP. 802.11r eliminates the handshake overhead while roaming and thereby reduces the hand off times between APs, which provides security and QoS. It is useful for client devices with delay-sensitive applications, such as, voice and video over Wi-Fi. 802.11r – Types For a client to move from the current AP to target AP using FT protocols, the message exchanges are performed using one of the following methods: 1.Over-the-Air FT Roaming 2.Over-the-DS (Distribution System) FT Roaming Over the Air – In a Nutshell The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm. Over the Air – Intra controller Step 1: Client associates with AP1 and requests to roam with AP2. Step 2: Client sends a FT Authentication Request to AP2 and receives a FT Authentication Response from AP2. Step 3: Client sends a FT Re-association Request to AP2 and receives a FT Re-association Response from AP2. Step 4: Client completes its roam from AP1 to AP2. Over the Air – Inter controller Step 1: Client associates with AP1 and requests to roam with AP2. Step 2: Client sends a FT Authentication Request to AP2 and receives a FT Authentication Response from AP2. Step 3: WLC-1 sends PMK and mobility message to WLC-2 about the roaming client that uses mobility infrastructure. Step 4: Client completes its roam from AP1 to AP2 Over the DS – In a Nutshell In roaming over the DS, the client communicates with the target AP through the current AP. The communication is in FT action frames between the client and the current AP through the controller Over the DS – Intra controller Step 1: Client associates with AP1 and requests to roam with AP2. Step 2: Client sends a FT Authentication Request to AP1 and receives a FT Authentication Response from AP1. Step 3: The controller sends the pre-authentication information to AP2 as the APs are connected to the same controller. Step 4: Client sends a FT Re-association Request to AP2 and receives a FT Re-association Response from AP2. Step 5: Client completes its roam from AP1 to AP2. Over the DS – Inter controller Step 1: Client associates with AP1 and requests to roam with AP2. Step 2: Client sends a FT Authentication Request to AP1 and receives a FT Authentication Response from AP1. Step 3: WLC-1 sends Pairwise Master Key (PMK) and mobility message to WLC-2 about the roaming client. Step 4: Client completes its roam from AP1 to AP2. CISCO 802.11r Pure Mode "Pure" mode, where the only Authentication Key Management (AKM) method listed in the Robust Security Network (RSN) Information Element is a FT method. Common FT methods are 802.1X FT or PSK FT. Clients that don't support 802.11r will not be able to connect to this type of WLAN. They may not even see it. Beacons and Probe Responses for a non-FT network will contain non-FT AKM methods in the RSN IE, like PSK shown above. Notice, there is NO “Mobility Domain” IE. Mixed mode In mixed mode operation both FT and non-FT AKM methods are included in the AKM suite. This mode allows both clients that do and don't support FT to connect. There will still be clients that get confused by the presence of a FT AKM. Notably, if you change an existing WLAN to mixed mode FT, mac-OS clients may not be able to connect until you delete the WLAN profile and re-connect. The RSN IE contains two AKM entries; regular PSK and FT using PSK. In addition to the FT AKM, Beacons and Probe Responses WILL contain the Mobility Domain IE. Adaptive Mode Moving forward we will be using Adaptive FT. In this mode, the beacon does not advertise the FT AKM at all, but will use FT when supported clients connect. With Adaptive 11r enabled on a WLAN, the RSN IE does not have any FT methods, but the Mobility Domain IE is present. Question: - In the Adaptive FT Beacon/Probe Response, the RSNIE is non-FT. So, how does a client come to know whether ‘Adaptive FT’ is there for use or not? Answer: - We see the following Aironet IE in the Beacon/Probe Response even if Aironet IE is disabled, indicating that Adaptive FT is there for use. Bear in mind that this is in addition to the Mobility Domain IE being present for the clients who can understand it. Question: - How does the AP/WLC come to know that the client supports Adaptive FT then? Answer: - As shown below, like the Aironet IE, the clients send out a Vendor IE in their Association Request indicating their support for Adaptive IE So, when we look at the Association request from a client device that does not support Adaptive FT, we see the following – This indicates that the client saw that there was no FT AKM method in the RSN IE. The client determined that the network did not support FT and ignored the Mobility Domain IE. The expanded RSN IE shows that the client will use PSK as the Authentication Key Management. However, when we look at the Association Request from a client that DOES support Adaptive FT, we see the following – The RSN IE shows that the AKM chosen was FT using PSK, which is not advertised in the beacons! Indicating that it understood the RSN IE/MD IE & the Aironet IE and therefore responding with its support for Adaptive FT. Does FT really improve roaming timings? If so, by how much? Going by the observations made in not heavily utilized networks – 1) In a non-FT network, you may achieve the roaming delay of about 150ms. 2) When using FT ‘over the air’, the delay is reduced to as low as 16ms. 3) When using FT ‘over the ds’ it can give a delay of about 71ms. Deviations maybe observed depending on the environment. REFERENCES:-
27/9/2022 09:29:06 am
It is quite complex to understand but this article is so useful! Comments are closed.
|
Archives
September 2018
Categories |