Roaming between wireless access points is easy. When the client finds a new access point in range, it can connect to it. The only problem is that the increasing demands on security in wireless networks make that connection process rather slow and cumbersome.
When a device connects to a wireless network it has to be authenticate and that takes time. If every time a client roams, it is treated as a new arrival, then the delay and re-connection mean that applications are interrupted.
Apparently, there are several ways to avoid this problem, allowing users to roam securely and seamlessly among access points in 802.11 wireless LANs. However, vendors are implementing them in advance of standards, basing their work on basic provisions in the recently-ratified 802.11i wireless security specifications.
The 802.11i security standard, ratified in June, makes a couple of provisions for this capability, and WLAN start-up Airespace says it has codeveloped with Funk Software and Atheros an extension to one of the methods specifically for switched WLAN architectures that other vendors can also adopt (see news story).
You'll recall that Cisco recently announced fast, Layer 3 roaming via its Wireless LAN Services Module for its Catalyst 6500 switches. And Proxim announced last winter its own "partial-preauthentication" secure roaming method for its Orinoco Switching System, which began shipping in July as the Avaya W310 Wireless LAN Gateway.
From a standards perspective, Paul Funk, president of Funk Software, explained that 802.11i contains two specs for accelerating secure roaming that are aimed at traditional access points (AP), which operate independently rather than in conjunction with a WLAN switch:
- Pairwise Master Key (PMK) Caching allows the client to associate with an AP and, upon doing a full RADIUS authentication, store a master key negotiated with that particular AP in a cache. Should the user roam away from that AP and back again, the client will not have to reauthenticate. Funk referred to this 802.11i-specified method as "fast roam-back."
- Preauthentication or "fast-associate in advance." Using this 802.11i-specified capability, an 802.11 AP associated to a client could bridge to other APs over the wired network and preauthenticate the client to the "next" AP to which the client might roam.
In switched architectures, the "authenticator" in the 802.1x framework is the switch, rather than the AP (the client software is the "supplicant" and the RADIUS server is the "authentication server"). Theoretically, the switch could simply blast out the master key information for a given client to most or all APs upon successful authentication, potentially preauthenticating mobile clients for secure roaming on the entire WLAN. However, as Funk pointed out, many network operators would view this as wasting bandwidth and RADIUS resources if users don't roam to all those APs.
So Airespace, Funk Software and Atheros created Proactive Key Caching (PKC) for switched architectures. When a mobile device moves from AP to AP, the WLAN searches its PMK cache in the switch to see if the client has already been authenticated anywhere else on the network. If a PMK entry already exists for the wireless device, it doesn't perform the authentication process again.
With each client-AP association - whether PMK Caching or PKC is being used - the 802.11i standard calls for a Pairwise Transient Key (PTK) to be derived via a four-way handshake, which protects data actually sent over air. The PTK is discarded each time a user roams. If the PTK fails, reauthentication is required.
Funk said his company's Odyssey client software is scheduled to support the PKC capability late this month or next month (Airespace gear is slated to support PKC in September). Both supplicant and authenticator must support fast, secure roaming - be it PKC, PMK Caching, preauthentication or other implementation - for it to work.
But is it really new?
Trapeze Networks, a WLAN switch competitor to Airespace, contends that PMK Caching as defined in the standard is the same mechanism Airespace describes as PKC. As such, Trapeze says, its own WLAN switch supports fast, secure roaming in the same manner.