By operating authentication according to the IEEE 802.1X standard and key management according to the IEEE 802.11i standard, modern WLAN installations offer a high degree of security and confidentiality for the transmitted data. However, these standards require transmission of additional data packets during the connection negotiation as well as additional computing power on the client and server.
IEEE 802.11 originally required up to six data packets to establish a data connection between a WLAN client and an access point. The standard extension IEEE 802.11i improved on weak points of WEP encryption; however, depending on the authentication method, it substantially increased the length of the login process.
This extra time for the WLAN client to login to the access point is not a problem for non-time-critical applications. However, for smooth, loss-free roaming of a WLAN client from one access point to the next, a delay of more than 50 ms is not acceptable. Examples include Voice-over-IP (VoIP) or the application in real-time industrial environments. In this context, roaming means that the network connection passes from one access point to the other without interruption.
Methods such as pair-wise master key caching (PMK caching), pre-authentication, Opportunistic Key Caching (OKC) and the use of central WLAN controllers (WLC) for key management improve the time for the key negotiation between the WLAN client and access point during login. Despite this, the comparatively long time required for key negotiation between the WLAN client and the access point has still not been reduced to a viable extent.
Along with the improved encryption protocols, IEEE 802.11e makes it possible to reserve additional bandwidth with the access point. This allows the WLAN client to prevent interruptions, for example for VoIP connections at times of high network loads at the access point. For roaming from one access point to the next, the WLAN client must again reserve this additional bandwidth on the new access point. However, the additional management frames required for this considerably increase the login time.
The IEEE 802.11r standard provides a simplified authentication process for mobile WLAN clients to roam trouble-free from one access point to the next. The goal is to once again reduce the number of data packets for the login on the access point to the four to six packets known from IEEE 802.11.
Similar to Opportunistic Key Caching (OKC), a centralized key management (preferably by a WLC) supplies the access points connected to it with the credentials of the WLAN clients. In contrast to OKC, the WLAN client performing fast roaming can detect whether the access point supports IEEE 802.11r
Access points managed by the WLC transmit the "mobility domain information element (MDIE)" to inform WLAN clients within range about, among other things, which "mobility group" the access point belongs to. Based on this information, the WLAN client detects whether it belongs to the same domain and can therefore authenticate without delay. This mobility domain is announced to a WLAN client the first time it authenticates at an access point.
The domain identifier and other special keys generated during the initial authentication and transmitted to all managed access points now reduce the stages of negotiation to the desired four to six steps when authenticating at a new access point.
To avoid futile and thus time-wasting login attempts with expired PMKs, IEEE 802.11r provides additional information about the validity periods of keys. In this manner, the client negotiates a new PMK while connected to the current access point. This is also valid on the access point that the WLAN client wants to connect to next.
Additionally, IEEE 802.11r uses "resource requests" to reserve additional bandwidth on the new access point, so that there is no need to cause added delay by transferring unnecessary data packets during the IEEE 802.11e authentication.
Fast roaming is setup in LANconfig under
.Fast roaming by Inter Access Point Protocol (IAPP)
In order to use fast roaming with IAPP, you need to assign an individual IAPP passphrase in the WLAN encryption settings for each interface. This is used to encrypt the pairwise master keys (PMKs). Access points that share a matching IAPP passphrase (PMK-IAPP secret) are able to exchange PMKs between one another and ensure uninterrupted connections. When a client switches to another access point, the new access point sends a handover request to the former access point. The former access point then deletes the client from its station table. The handover request contains the client’s MAC address, so that devices in the LAN are informed about the new routing and can update their mapping table.
To enter the IAPP passphrase in LANconfig, navigate to
.