Tags
In this post we will see how a basic 802.11 roam works using Cisco WLC & two APs. My WLC is 4402 & running on 7.0.116.0 code.
I have configured a SSID called TEST1 with 802.1X security. Here is WLAN security settings
(4402-3) >show wlan 1 WLAN Identifier.................................. 1 Profile Name..................................... TEST1 Network Name (SSID).............................. TEST1 Status........................................... Enabled . . Radius Servers Authentication................................ 192.168.100.2 1812 Accounting.................................... 192.168.100.2 1813 Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Disabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Disabled FT(802.11r)............................. Disabled FT-PSK(802.11r)......................... Disabled FT Reassociation Timeout......................... 20 FT Over-The-Air mode............................. Enabled FT Over-The-Ds mode.............................. Enabled CCKM tsf Tolerance............................... 1000 .
I have statically configure the LAP1 & LAP2 channels & TX-Power Level(to min) in order to have better control over roaming in my lab setup & allowing me to capture packets over the air on those channels (36,40).
config 802.11a disable LAP2 config 802.11a channel ap LAP2 40 config 802.11a txPower ap LAP2 7 config 802.11a enable LAP2 config 802.11a disable LAP1 config 802.11a channel ap LAP1 36 config 802.11a txPower ap LAP1 7 config 802.11a enable LAP1
You can verify your configuration using “show ap config 802.11a summary” CLI command.
(4402-3) >show ap config 802.11a summary AP Name SubBand RadioMAC Status Channel PwLvl SlotId -------------------- ------- ------------------ -------- ------- ------ ------ LAP2 - 2c:3f:38:2a:b1:20 ENABLED 40 7 1 LAP1 - 64:a0:e7:af:47:40 ENABLED 36 7 1
Here is the packet flow when client associates to the wireless network. 7921 has associated to LAP2. After open system authentication, it is going through EAP-LEAP authentication process & then followed by 4-Way Handshake prior to user traffic start passing through. As you can see in this frame capture it took 116ms (time taken from frame 365 to 400) for the complete process.
Now, if I move my 7921 towards LAP1 you can see it is decided join to LAP1 (Based on the RSSI, SNR,etc received by client- Note that roaming decision is purely made by client & AP/WLC have no control). In here as well you can see it took around 119ms (frame 455-489) to complete the roam process. During this process most of time taken for the EAP process (~90ms from frame 463-481)
As you can see in the above, Roaming process start by 7921 sending a “Reassociation Request” frame to LAP1. Here is the detail of that frame. Note that there are two fieds (PMKID Count,PMKList) in this Reassociation Request frame that will be used if any Fast Secure Roaming method in used (not in our case here) to indicate the target AP that client was already in the network with secure association.
Then AP responds with “Reassociation Response” frame indicating client can join the new AP (LAP1).Then Client & AP needs to derive the keys for data encryption (PTK) & hence client must re-authenticate to generate the seeding material for 4-Way Handshake which resulting encryption keys (PTK)
As you saw above, every time client roam to new AP, client has to go through the full 802.1X EAP authentication process & then 4 way handshake. Since this EAP Authencation process takes considerable amount of time (vary ~100ms -700ms) for certain applications (like voice) it is not ideal a client roam takes that much time.
Therefore 802.11-2007 standard defines two fast secure roaming mechanisms applicable to legacy Autonomous APs.
1. Preauthentication.
2. PMK Caching.
Most WLAN vendors offer a fast secure roaming solution called OKC–Opportunistic Key Caching which is an enhancement of PMK caching.(Note that OKC is not part of 802.11-2007 standard)
Cisco has offered proprietary version of fast-secure roaming called Cisco Centralized Key Management (CCKM). To support CCKM, supplicant should fall under Cisco licensed CCX program. You can check the nature of roam when you enable CCKM on this SSID.Security
802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Disabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Enabled FT(802.11r)............................. Disabled FT-PSK(802.11r)......................... Disabled
As you can see below this time supplicant continue to pass traffic as soon as AP send “Reassociation Response” frame. There is no authentication or 4-way handshake require to takes place. You can see the entire client roam occurs within 7ms in this case.
In 2008, IEEE came up with 802.11r which standardize the fast roaming. This method is called Fast BSS Transition (FT). There are two FT methods
1. Over the Air Fast BSS Transition.
2. Over the DS Fast BSS Transition.
We will discuss each of these Fast Secure Roaming mechanisms in future posts.
Referennce
1. 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN <-Best Cisco Document I found describing this topic in detail
2. CWSP-Official Study Guide- Chapter 7
3.7921-Association-LAP2 (Original Association packet capture)
4.7921-Roaming to-LAP1 (Reassociation or Roaming packet capture)
5.7921-CCKM-Roaming to-LAP1 (Roaming with CCKM packet capture)
mrn-cciew 
Hi Rasika,
Great review. 802.11r should definitely speed up the roaming process for wider range of clients that are certified.. I think the WFA voice enterprise amends .11r for the certification process.
Anyway , another element I’m suspecting would be critical for fast roaming resides in layer 2 of the network in the access switches. I’m referring to the gratuitous ARP that the AP invokes after client had roamed to it’s neighbor AP. Would be interesting to see at what point the AP sends this message and how long does it take for the switch to update it’s CAM tables.
Would be great to have a capture for that too if possible ..
Hi Erand,
Thanks for this feedback.
I will see if I could test this & do a post. It is easy to test this out in 3850 IOS based WLC.
HTH
Rasika
Hi Rasika,
I have discovered your blog about a week ago and as I am studying for my CWSP, your content is helping me a lot. Keep up the excellent work!
That’s great to hear Franco…
Rasika
Hi Rasika,
Your blog help me a lot and by the way I have a question for you. If we have DHCP in system so, how can client receive DHCP while roaming to other new AP. How to we know old AP have lower signal than new AP ?
Long for your answer.
Thousand thanks.
Hi Ryan,
Roaming is a client decision & AP cannot influence on that. Different client devices behave differently & using different threshold/algorithms to take that decision. If a client Roam, then it will not change its IP (if changing, then it is not a smooth roam). Two different frames used in those scenarios.
Association Request – When a Client first associate to Network
Re-association Request – When a client roam from one AP to another
HTH
Rasika
Dear Rasika,
Thank you for your answer, but it is not clear to me about this problem. what difference for a client move from old AP to new AP in a broadcast domain and a client move from old AP to new AP in the separate broadcast domain, does not it receive DHCP when it roaming? please show me a picture that you capture about this problem and how does client do when it’s roaming on 2 model like this (step by step, pls).
Thank you for your answer,
please keep in touch.
Hi, I found your blog. This is really amazing. I use openWrt and it has helped me alot in confirming if my routers supported it. You have done a perfect job and explained every detail. I would really like another thing to ask of you since you have a good expertise in Wireless being a CCIE wireless. I would really like to know protocols and drafts behind CISCO Aggressive Load Balancing. Can you help me with that?
Hi Rasika,
I’m into WLAN test and I have been following your blogs to refer while in the state of confusion 🙂
And your blogs definitely do bring me out of the trouble.
Thanks a lot for wonderfully blogging on important topics.
I landed on this particular page today again since I was looking for information on CCX and I looked up for “mrncciew ccx”. I see that you just referred to CCX.
I need more information (trainings, documents and sniffer traces) related to CCX (Cisco Certified Extensions for WLAN).
Please help if you know of any.
I contacted Cisco for the same (for the paid ones too) and was turned down saying there is no trainings Cisco or their Partners offer.
Thanks in advance,
Vikram Gokhale
Hi Vikram,
As I understand, Cisco CCX program was there in few years back, where mobile devices to compatible with Cisco infrastructure and get benefit of new features Cisco is releasing.
Now a days, most of the client devices following IEEE standards (eg 802.11r,k,v) and no need to get CCX compliant to get benefit from Cisco infrastructure. Hence CCX program is not active any more.
Below URL provide some information about that program Cisco had
http://www.cisco.com/c/en/us/products/wireless/compatible-extensions.html
HTH
Rasika
Hi, On a roaming scenario, I am seeing 1) Authentication from client to AP2, 2) Authentication from AP2 to client 3) Reassociation request from client to AP2 4) Reassociation response from AP2 to client 5) EAPOL 4-way handshake 6) Deautheniotcation from AP1 to client.
Is it correct to see deauthentication after all the above 5 steps?
Thanks,
Dev
Hi Dev,
I do not think you should see a de-auth from AP when client is roaming from one AP to another.
HTH
Rasika
Hi Rasika,
I really like the log display you provided.
Currently I am trying to measure the difference im roaming time needed between two WLAN adapters. I would like to ask how you captured the packages (e.g. Software used, coloring rules, …).
It would be very helpful for me to reconstruct this process and I would greatly appreciate any help I can get.
Thank you in advance,
Felicis
Hi Felcis,
I would recommend below approach if you have Cisco AP/WLC. That is the best way of capturing 802.11n/11ac packets
https://mrncciew.com/2018/04/07/wifi-captures-with-sniffer-mode-ap/
You can use wireshark with nice coloring rules. Below is the coloring rule I have used in most of my posts.
https://community.cisco.com/t5/wireless-mobility-documents/download-wireshark-coloring-rules-file/ta-p/3108000
HTH
Rasika