Vendors innovate beyond 802.11i roaming standards

* Much ado about Wi-Fi roaming

Apparently, there are several ways users will be able to roam securely and seamlessly among access points in 802.11 wireless LANs.

The 802.11i security standard, ratified in June, makes a couple of provisions for this capability, and WLAN start-up Airespace says it has codeveloped with Funk Software and Atheros an extension to one of the methods specifically for switched WLAN architectures that other vendors can also adopt.

You'll recall that Cisco recently announced fast, Layer 3 roaming via its Wireless LAN Services Module for its Catalyst 6500 switches. And Proxim announced its own "partial-preauthentication" secure roaming method for its Orinoco Switching System, which began shipping in July as the Avaya W310 Wireless LAN Gateway, last winter.

From a standards perspective, Paul Funk, president of Funk Software, explained that 802.11i contains two specs for accelerating secure roaming that are aimed at traditional access points (AP), which operate independently rather than in conjunction with a WLAN switch:

1) Pairwise Master Key (PMK) Caching allows the client to associate with an AP and, upon doing a full RADIUS authentication, store a master key negotiated with that particular AP in a cache. Should the user roam away from that AP and back again, the client will not have to reauthenticate. Funk referred to this 802.11i-specified method as "fast roam-back."

2) Preauthentication or "fast-associate in advance." Using this 802.11i-specified capability, an 802.11 AP associated to a client could bridge to other APs over the wired network and preauthenticate the client to the "next" AP to which the client might roam.

In switched architectures, the "authenticator" in the 802.1X framework is the switch, rather than the AP (the client software is the "supplicant" and the RADIUS server is the "authentication server"). Theoretically, the switch could simply blast out the master key information for a given client to most or all APs upon successful authentication, potentially preauthenticating mobile clients for secure roaming on the entire WLAN. However, as Funk pointed out, many network operators would view this as wasting bandwidth and RADIUS resources if users don't roam to all those APs.

So Airespace, Funk Software and Atheros created Proactive Key Caching (PKC) for switched architectures. When a mobile device moves from AP to AP, the WLAN searches its PMK cache in the switch to see if the client has already been authenticated anywhere else on the network.  If a PMK entry already exists for the wireless device, it doesn't perform the authentication process again. 

Note: With each client-AP association - whether PMK Caching or PKC is being used - the 802.11i standard calls for a Pairwise Transient Key (PTK) to be derived via a four-way handshake, which protects data actually sent over air. The PTK is discarded each time a user roams. If the PTK fails, reauthentication is required.

Funk said his company's Odyssey client software is scheduled to support the PKC capability late this month or next month (Airespace gear is slated to support PKC in September). Both supplicant and authenticator must support fast, secure roaming - be it PKC, PMK Caching, preauthentication or other implementation - for it to work.

Note that Trapeze Networks, a WLAN switch competitor to Airespace, contends that PMK Caching as defined in the standard is the same mechanism Airespace describes as PKC. As such, Trapeze says, its own WLAN switch supports fast, secure roaming in the same manner.

Learn more about this topic

802.11i security standard goes on the books

Network World Wireless in the Enterprise Newsletter, 07/07/04

Cisco integrates wired, wireless networks

Network World Wireless in the Enterprise Newsletter, 05/10/04

Proxim offers peek into voice-centric switching system

Network World Wireless in the Enterprise Newsletter, 02/18/04

Where do "overlay" vendors fit in roaming efforts?

Network World Wireless in the Enterprise Newsletter, 02/23/04

Wireless vendors try defining MIMO

Network World, 08/16/04

Sprint offers first SLAs for wireless

Network World, 08/16/04

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.