Roaming is when a client wants to move around the building. During this, the signal strengths with the access point reduce and at a certain point there will be an access point with a better signal strength. With a reassociation the client moves from one BSS (Basic Service Set) to another BSS within the ESS (Extended Service Set). Clients always initiate the roaming, or BSS transition (keep this in mind when troubleshooting). The client makes the decision based on the RSSI (Received Signal Strength Indicator), the Signal to Noise Ratio (SNR), and the bit error rate.
If there is a roaming threshold of 5 dB difference, this will trigger the client to move from an access point with a signal level of -72 dB to a -67 dB. If you can configure it on the controller, it is wise to have a higher roaming back threshold to prevent pingponging from clients to its original access point in a short time. Again, the client makes the decision so it is possible that two clients associated to the same access point do not roam together to a stronger signal from another access point.
The AP to AP handoff communication is not defined in the 802.11-2012 standard. Both of the access points, current and new access point, should be able to communicate with each other across the distribution system (DS) (also known as distribution system medium, or DSM), which is most of the time a wired network (802.3).
– The client sends out a reassociation request to the new access point. Within this request frame the current access point BSSID is included.
– The new access point replies with an ACK back to the client.
– The new access point informs the current access point, through the DS, that his client is roaming to his BSS. As well, the new access point requests all the buffered data from the current access point to forward to the new access point.
– The current access point sends all the buffered data to the new access point, this is also through the DS.
– The new access point sends a reassociation response to the client that wants to roam.
– The client replies with an ACK to the new access point and the client will join the new BSS.
Since a part of this communication goes through DS, mostly a wired network, this handoff is not defined in the 802.11 standards. Since this communication needs to be a faultless transition, vendors will provide a good handoff between access points, with its own proprietary method.
A robust security network association (RSNA) has several stages during the process. You have the stage pairwise master key security association (PMKSA) that is at the moment that there is a successful 802.1X/EAP authentication or PSK authentication. After the PMKSA, there is the 4-way handshake that leads into a pairwise transient key security association (PTKSA). The information according to RSN can be found in the information element in certain management frames. The RSNIE is found in the beacon frames, probe response, association request, reassociation request and reassociation response (only when 802.11r is enabled). In this RSNIE is also two fields named PMKID count and PMKID list, which are needed for fast secure roaming.
The pairwise master key identifier (PMKID) is a unique reference to a PMKSA. A PMKSA is between the authenticator and the supplicant. There are different PMSKA that the PMKID can reference:
– PMSKA can be derived from a PSK for the new access point.
– Cached PMKSA from 802.1X/EAP or SAE
– Cached PMKSA obtained through pre-authentication with a new access point
– PMK-R0 security association derived as part of an FT initial mobility domain
– PMK-R1 security association derived as part of an FT initial mobility domain or part of a fast BSS transition
A client can have multiple PMKSA, as well as multiple PMKIDs. The PMKID count shows how many PMKIDs there are and the PMKID list field has all the PMKIDs that are known.
There are different components within the PMKSA
PMK: the created pairwise master key
PMKID: the unique identifier for the PMKSA
Authenticator MAC: The MAC address of the authenticator
Lifetime: How long the key is valid. Lifetime is infinite, but can be specified for a shorter time
AKMP: The authentication and key management protocol
Authorization Parameters: All kinds of parameters that are specified by the authentication server or local configuration. For example, SSID that the client is authorized through.
Again, PMKSA is unique per session per client. When a client roams from the current access point to a new access point, a new PMKSA is established. PMK #1 is used as seed for the 4-way handshake and installed on the current access point and the client. PMK #2 is used as the seed for the 4-way handshake and installed on the new access point and the client.
