802.11 Roaming- Understanding How Wireless Devices Transition Between Access Points

We have heard about roaming several times, and understand how seamless roaming experience is important for users with time sensitive applications. This seamless experience is made possible by a process called "roaming" in 802.11 wireless networks. 

What is 802.11 Roaming and how does it work?

The 802.11 roaming refers to the process where a wireless station moves from one access point (AP) to another within the same extended service set (ESS). This transition should ideally happen without any interruption to the network connectivity.

When the station first connect to a Wi-Fi network, it associates with an access point. As you move away from this initial access point, the signal strength degrades. When this happens, your device starts scanning for a better connection, looking for another access point to associate with.

A very important fact, which is often forgotten by the Users/Network administrators is, the decision to roam is made entirely by your device, not the Access Points. Your device uses various metrics to determine when to initiate a roam, including:

  • RSSI (Received Signal Strength Indicator)
  • SNR (Signal-to-Noise Ratio)
  • Other factors such as Packet loss rates, retry rates, etc.
Some vendor specific features are offered to assist Stations with Roaming, however, it is not dictated by the 802.11 Standard and therefore it is not mandatory for the Stations/Devices to follow those rules.

The Roaming Process

When your device decides to roam, it sends a reassociation frame to the new access point it wants to connect to. This frame contains important information, including the MAC address of the access point your device is currently associated with.

The roaming process follows these steps in a secure network:


Step 1: 802.11 Open System authentication frame exchange with the new AP.

Step 2: Device sends a Reassociation Frame to the new access point

Step 3:  4-way handshake is performed to establish encryption keys

The Reassociation Request frame includes specific fields such as, Listen Interval, Current AP's MAC Address field, SSID Parameters and RSN (Robust Security Network) Element for security parameters:




The Reassociation Response frame include the Status Code and the Association ID confirming successful Reassociation of the station:


This standard roaming process takes additional time as the device must go through the full authentication process again. For a busy wireless network, it can introduce latency and jitter that certain applications don't handle well and hence we needed better mechanism to roam securely while reducing the time spent on 802.1X EAP exchanges. There are two such Pre-fast transition methods:
  • Preauthentication
  • PMK Caching

Preauthentication

Preauthentication allows a wireless client to authenticate with multiple access points at once. For Pre-auth to work:

  • All APs must be in the same Extended Service Set (ESS)
  • The APs must advertise Preauthentication support in their Beacon frames
  • In the RSN Information Element, the RSN Pre-Authentication Capabilities subfield must have its bit set to 1

How Preauthentication works:

  1. A station establishes an RSNA (Robust Security Network Association) with an access point prior to attempting reassociation
  2. When 802.1X authentication completes successfully, it generates a PMKSA (Pairwise Master Key Security Association) that can be used with other APs
  3. When the station associates with a preauthenticated AP, it uses the existing PMKSA and proceeds directly to the 4-way handshake
  4. This allows the station to skip the time-consuming 802.1X EAP exchanges

PMK Caching

PMK caching speeds up the roaming process when a station returns to an AP it has previously associated with. Here is how it works:

  1. The station and original AP maintain a PMKSA for a defined period before it expires
  2. During this time, if the station returns to this AP, it can include the PMKID for the PMKSA in its Reassociation Request
  3. The AP verifies it has a cached PMKSA for that station
  4. If valid, the AP begins the 4-way handshake, skipping the 802.1X EAP exchange

Key difference between Preauthentication and PMK Caching:

  • With PMK Caching, the PMKID is cached on the AP after the station associates with it, helping when the station roams back to that same AP
  • With Preauthentication, a PMK is created and stored on a target AP before the station ever connects to it, helping when the station roams to a new AP

Both of these methods have scaling limitations in large Wi-Fi deployments, as they require all APs to maintain PMKSAs with all associated stations. This is where more modern techniques like 802.11r become necessary for enterprise environments. I would cover 802.11r in my next Blog! 

Comments

Post a Comment

Popular posts from this blog

Understanding RSSI and LQI Metrics of IOT

Image
 In the rapidly increasing adaption of Internet of Things (IoT), understanding  the basics network performance metrics is crucial for building reliable and efficient systems. Two fundamental metrics that play a n important role in the IOT Device communication are the Received Signal Strength Indicator (RSSI) and Link Quality Indication (LQI). Let's dive deep into what these metrics mean and why they matter for IoT implementations. Received Signal Strength Indicator (RSSI) RSSI serves as a fundamental measurement of RF power received by a wireless device. What makes RSSI particularly interesting is that it measures all RF power in a channel, regardless of the source. This means it captures: Signals from IEEE802.15.4 transmitters Interference from Bluetooth devices WiFi signals Background radiations This comprehensive measurement makes RSSI an essential tool for Clear Channel Assessment (CCA), helping devices determine if a channel is free befo...
Read more

Understanding "Invalid FTE" Error with 802.11r Roaming

Image
 When investigating Fast Transition (FT) roaming issues in enterprise wireless networks, packet captures often hold the key to diagnosis. Let's analyze this specific roaming failure case where a client fails to roam from one access point to another. Problem Statement: Random Devices are facing FT roaming issue and requires reauthentication.  While the problem statement sounds easy, capturing roaming failures could be challenging when the problem is random/intermittent. It is also important to know where to capture; Remember CWAP Guidelines? For roaming we need to capture near multiple AP's.  In this case we used RUCKUS AP Remote PCAP feature to stream captures from multiple AP's to the Wireshark and Voila! We were lucky to capture the failure  use case.  Now lets see what does it look like: The packet captures shows us an "Invalid FTE (0x0037)" error. FTE stands for Fast Transition Element, a critical component of the 802.11r protocol that facilitates seaml...
Read more

Association Failures with Legacy Printers due to Management Frame Protection- A Technical Analysis

Image
 Let's understand first, what is Management Frame Protection? Based on the IEEE 802.11w amendment, Protected Management Frames (PMF), also known as Management Frame Protection (MFP), is a security feature that provides integrity protection for both unicast and broadcast management frames, while also encrypting unicast management frames in the same way as data to provide confidentiality. Without the Protected Management Frames feature, all management frames are sent unprotected in the open. Transmitting open frames makes connections vulnerable to attack. To leverage Protected Management Frames, both the AP and the STA need to be capable of using it, and it must be activated for each encrypted Wi-Fi network of the AP. If those conditions are met, Protected Management Frames are automatically invoked during client association. Understanding Management Frame Protection Failures MFP is one of the common challenge when working with legacy devices in modern wireless networks. My recent t...
Read more