802.11 Fast BSS Transition (FT) Part 1 of 2By CWNP On 08/21/2007 - 36 Comments
The 802.11i amendment gave us Preauthentication and Pairwise Master Key (PMK) Caching. Nothing fancy, just the basics. Preauthentication enables supplicants (stations) to authenticate with authenticators (APs or WLAN controllers) to which they may roam. Preauthentication always happens through the AP to which the station is currently associated – over the distribution system (typically an Ethernet network).
PMK Caching allows supplicants and authenticators to cache PMK Security Associations (PMKSAs) so that a supplicant revisiting an authenticator to which it has previously authenticated can skip the 802.1X/EAP process and proceed directly to the 4-Way Handshake. The 4-Way Handshake is used by an 802.1X supplicant and an authenticator to derive Pairwise Transient Keys (PTKs) which are used for encrypting data frames. PMK Caching is often called, “fast roam-back” since supplicants must have previously authenticated (and formed a PMKSA) with the authenticator in order to proceed directly to the 4-Way Handshake.
Due to the need to roam “forward” to authenticators to which the supplicant has never authenticated, another protocol was developed: Opportunistic PMK Caching (OPC). OPC must be supported on both the supplicant and authenticator, and fortunately OPC has been adopted as the current de-facto industry standard for fast roaming. Supplicants supporting OPC include Microsoft’s WZC and Juniper’s Odyssey Access Client. Authenticators supporting OPC include Motorola/Symbol, Colubris, Aruba, and more. OPC allows the PMK in the initial PMKSA formed by the supplicant and authenticator to be reused across the network. The PMK is redistributed (either to other physical APs or within the WLAN controller software) by the WLAN system and given new PMKIDs unique to each AP. A component in the forming of each unique PMKID is the new AP’s MAC address (BSSID). By using the same OPC algorithm, the supplicants and authenticators form the same unique PMKID for each authenticator. The supplicant places the unique PMKID into its reassociation request frame, and when the authenticator validates the PMKID, the AP starts the 4-Way Handshake instead of the 802.1X/EAP authentication exchange process.
The forthcoming IEEE 802.11r amendment will rewrite most of the authentication and key management structure of the IEEE 802.11i amendment to allow for a 3-tier key architecture instead of the current 2-tier model. For more information on 802.11i Authentication and Key Management (AKM), refer to the CWNP whitepaper by the same name found here: http://www.cwnp.com/learning_center/search_details.php?doc_id=duge
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.