Roaming in Wireless

The seamless transition of the User device from one Access Point to another access point called Roaming.

For Example, let’s assume you are connected to a wireless Access point (Access point 1 - Position 1) and having a video conversation with one of your friends. As your friend complains, he/she can hear many others standing near you. So, you plan to move to another place (nearly to Access point 2 - Position 2). Your expectation will be while moving from one place to another, and you do not want disconnection or interruption of video conversation you are having with your friend.

The user devices start to Roam when the Device sees RSSI and SNR are degrading from the Associated AP. The User Devices send Probe requests to find any new access point to associate with better RSSI and SNR.

Roaming the User device from one Access point to another Access point will not delay the open Authentication network. Pre-shared key Authenticated network will have a delay between 45-55 ms, which is acceptable for Voice /Video networks as these networks work fine with latency 150 ms unidirectional.

Below are the commonly seen Roaming methodologies in Robust Security Network, especially in 802.1x Authentication where the delay is more than 300 milliseconds.

802.11r is the only Roaming Standard recognized by IEEE.

1) Fast Secure Roaming Transition(802.11r) has two different methods as below.

a) Over the Air Fast Transition

b) Over the DS Fast Transition

Note: WPA3-SAE and WPA3-Enterprise do not support 802.11r as of today.

2) Opportunistic Key caching (OKC) is one of the Roaming technologies most popularly used and supported by most devices. Few devices like MacBook etc., do not support the OKC technology.

Over the Air Fast Transition

In “Over the Air Fast Transition,” user devices directly negotiate with Target AP. Let’s see different frames exchanged between user devices and Target AP before successfully accessing the Target AP network.

Frame -1: User Device sends Authentication frame with Authentication Algorithm Fast Transition

Frame-2: Target Access Point sends with an Authentication response frame.

We can see Mobility Domain Element in Beacon, Probe Response, Authentication, Association/Re-association frames. Target Access point rejects Authentication if the Mobility Domain Contents do not match the Mobility Domain of Target AP contents.

PMK-R0 is the first & highest level PMK key generated when the user device connects to the wireless network for the first time. PMK-R1 derived using PMK-R0.

PMK-R0 is generated when the user devices connect to the Access point 1.

PMK-R1 is generated with the Access point 2 during the Roaming process.

Frame-3: Re-association Request Frame sent by the User device to the target AP. Re-association Frame will an element called Current Access point from which the user devices are trying to Roam to target AP.

Frame-4: The Target AP will send the Re-association Response frame to the user device. IF the status code is successful, the user device is transitioned to Target AP with a new Association ID.

Pairwise Transient Key(PTK) is derived and installed before completing Reassociation.

The user device will have network access via Target Access Point.

Over the DS fast Transition

In Over the DS fast Transition Roaming Methodology, Transition happens with the exchange of Frames similar to Over the Air Fast Transition (FT).

Target AP has the Mobility Domain Element showing it supports Fast BSS Transition DS set 1, and then the user device will initiate this methodology to Roam.

The Major difference between the two Methodologies is that the first two frames are FT action Frames, which are sent to Current AP and Current AP forwards to the appropriate destination. Please find the below Frame exchange flow diagram.

Frame-1: The User device will send FT Request Action Frame to the Current AP with the Target AP Address field set to Target AP BSSID. Target AP address Field you can see in the Frame's Fixed Parameters.

Frame-2: Target will Send FT Response Action Frames.

Frame-3: The User Device will send a Reassociation frame directly to Target AP.

Frame-4: Target AP validates the MIC and contents of Mobility Domain Element, and if everything looks good, then Target AP will send a Reassociation Response frame directly to the User device.

Pairwise Transient Key(PTK) is derived and installed before completing Reassociation.

The user device will have network access via Target Access Point.

Opportunistic Key Caching (OKC)

Opportunistic Key Caching (OKC) Roaming Methodology is not Standard. Both Authenticator and the user device should support OKC.

The authenticator can be a controller or Access point in the controller-less architecture.

OKC is used both at the User devices and the Authenticator.

An identical algorithm is used at the user device and the Authenticator, and a unique PMKID is derived and given to the original PMK when it is passed to each Access point.

PMKID= HMAC-SHA1-128(PMK,"PMK NAME",|| AA || SPA)

AA == Authenticator Mac-address

SPA = Supplicant /User Device Mac-address.

Please find the frame exchange flow in OKC.

PTK is derived after the reassociation frames are exchanged.

IF the Authenticator finds PMKID, 802.1x Authentication will not happen, and PTK will be derived in EAPOL Key change by both. Else, the user device should undergo full Authentication.

Reassociation Request Frame, EAPOL KEY 1 (PMKID only), and EAPOL KEY 2 are the Frames where we can find the PMKID Count and PMK List Parameters.

Only during Reassociation can we see PMKID Count and PMK List parameters.

EAPOL KEY 2 Wireshark Screenshot showing PMKID Count and PMKID List

OKC is not supported by all the devices and is not implemented in a compatible way across all vendors, leading to performance issues.

Most of the user devices support 802.11r, and all the new user devices coming into the market are supporting 802.11r.

To conclude, we see most organizations use 802.11r with their wireless solution as it is the Standard, and OKC is not Standard.

Thanks for viewing the article, please leave a feedback comment (good or bad), so that I can improve.