General Roaming Process

The process of roaming, i.e. a client moving from one AP (BSS) to another AP (BSS) within the ESS, is also called BSS Transition. In general (i.e., without any optimization), a BSS transition comprises the following steps:

1. The client scans the network for candidate “target” APs (802.11k can help optimize this).
2. The client and the target AP exchange 802.11 reauthentication messages (the client sends a request and the AP responds).
3. The client and the target AP exchange 802.11 reassociation messages.
4. If this is an 802.1x SSID, the client and the target AP cannot yet start communicating; they first need to establish a key. The 802.1x EAP authentication begins with the derivation of a master key.
5. The 802.11i 4-way handshake is next: the client and the target AP derive their Pairwise Transient Key (PTK)—the unique encryption key for their association, derived from the master key.

The 802.1x EAP process generally takes much longer than the 4-way handshake (in one trace, for example, the EAP process took around 90 ms and the 4-way handshake took around 30 ms). Many of the mechanisms that reduce roaming times, therefore, do so by skipping the 802.1x EAP authentication step.

The subsequent sections describe methods that speed up or eliminate one or more of the steps outlined above.

802.11k and 802.11v

Arista APs support 802.11k and 802.11v. The IEEE 802.11k amendment, also called Radio Resource Measurement (RRM), defines methods allowing stations to inform each other about their respective radio frequency (RF) environments. That way, they can make faster and better informed decisions on roaming. With 802.11k, a client can request an AP to send a Neighbor Report. This reduces the number of channels a client has to scan (thereby optimizing step 1 in the roaming process).

The IEEE 802.11v amendment is also called Wireless Network Management (WNM). As the name suggests, 802.11v has a broader scope than 802.11k. While 802.11k defines methods that help individual stations understand their radio environment, 802.11v defines services that help improve overall network performance. An important 802.11v service is BSS Transition Management (BSTM). When an AP decides to disassociate with a client (because the AP knows that a neighboring AP can better serve the client), it sends an 802.11v frame called a BSTM Request, warning the client of its intention to disassociate. This allows a client some time to find a better AP and associate with it.

PMK Caching

Arista APs use PMK (Pairwise Master Key) caching. With PMK caching, an AP caches the PMK ID used by the client and the AP during their association. Consider a client that roams from AP1 to AP2, and now returns (roams back) to AP1. If the client also caches PMKIDs, it sends an association request containing the PMKIDs it has recently used. Since AP1 also has the cached PMKID from their earlier association, the client and the AP skip the 802.1x EAP authentication and start the 4-way handshake (thereby eliminating step 4 from the general process). A limitation of PMK caching is that it does not speed up roaming when a client roams to an AP for the first time.

Fast Handoff Support for 802.1x

Enterprise networks typically use 802.1x RADIUS-based authentication. As mentioned in the general steps, in the absence of any optimization, a client needs to undergo the entire 802.1x EAP process every time it roams. 

Opportunistic Key Caching (OKC)

In 802.1x EAP authentication, the PMK is derived from the Master Session Key (MSK). OKC can be thought of as a network-wide, 802.1x version of PMK caching. With OKC, the Wi-Fi network caches the PMK for a client as long as the client is associated with the network. So when a client roams, the client and the target AP skip the 802.1x EAP authentication (eliminating step 4 from the general process) and start the 4-way handshake. 

Preauthentication

Preauthentication is when a client initiates authentication and establishes a PMK Security Association (SA) with the target AP while the client is still associated with the current AP. The client does this via the current AP over the wired network. When preauthentication completes, the client and the target AP both have a PMK SA, i.e., they have a PMK cached for their future association. So when a client roams, the client and the target AP skip the 802.1x EAP authentication (eliminating step 4 from the general process) and start the 4-way handshake. 

A drawback of preauthentication is that it does not scale well; all clients need to establish PMK SAs with all possible APs they could roam to, greatly increasing network traffic. The 802.11r standard solves this problem.

802.11r or Fast BSS Transition

802.11r or Fast BSS Transition speeds up roaming in two ways:

• When the SSID uses 802.1x authentication without 802.11r, the client needs to perform EAP authentication every time it roams to a different AP. 802.11r bypasses this step by caching a part of the key derived from the RADIUS server in the wireless network (thereby eliminating step 4 from the general process). This basically builds on the OKC method of caching keys (OKC was a precursor of or a step towards 802.11r). 802.11r specifies a key hierarchy: a first-level key for storage in the RADIUS server (PMK-R0), and a second-level key for storage in APs (PMK-R1), used to derive the PTK for encryption. 
• Additionally, 802.11r piggybacks the 4-way handshake messages between the client and the target AP onto the reassociation messages (combining steps 3 and 5 in the general process). This piggybacking is done whether the SSID uses 802.1x or WPA2-PSK.