CWSP – PMK Caching & Preauthentication

Tags

PMK Caching & Preauthentication are two different methods defined in IEEE 802.11-2007 to allow fast secure roaming.

PMK Caching:
In PMK Caching AP & client station maintain PMKSA for a period of time while a client station roams to a target AP & establishes a new PMKSA.Below shows the PMK caching packet flow (page 258 of CWSP Official Study Guide)As shown in the above figure, when client associate with an original AP and create an original PMK#1. The client will roam to target AP and create new PMK#2. However the original AP & the client station will both cache PMK#1.

Whenever client station is roam-back to the original AP, the client station will send a re association request frame that lists multiple PMKIDs in the RSNIE. Since AP also having chache PMK for given PMKID of that client, both can skip the 802.1X/EAP authentication & proceed with 4-Way Handshake. So roaming would occur relatively fast.

This method is sometimes known as “fast secure roam-back” because client station is able to roam-back to original AP & skip the 802.1X/EAP Process.Drawback of this method is there are no way to make a roam fast, if client station is associate to a new AP.

Preauthentication:
A client station can use “preauthentication” to establish a new PMKSA with an AP prior to roaming to a new target AP. Preauthentication allows a client station to initiate a new 802.1X/EAP with AS while associated with the original AP. Below shows the “Preauthentication” frame exchange (page 259 of CWSP Offical Study Guide)As shown int the above, in Preauthentication, client initiate a new 802.1X/EAP with AS while associated with the original AP.Client station do this via the original AP over Distribution System (DS), however Authenticator will be the Target AP. Once the client has preauthenticated, a new PMK#2 is created & chached on both client station & the target AP. If the client station decides to roam to target AP, the client does not need to reauthenticate & create new PMK as preauthenticated cached PMK already exists. So both can do 4-Way Handshake without EAP authentication process. Typically if AP support “preauthentication” it would advertise it via RSNIE in the beacon frames.

Drawback of “preauthentication” is not scaling well as it requires all APs to create PMKSAs with all clients that might roam to each AP.Every single client need to preauthenticate with every single AP in advance (cause load on AS as well)

Since both these PMK Caching & Preauthentication mechanisms are not scaling well, IEEE 802.11r-2008 ratification developed. Prior to that most of WLAN vendors implemented a preview of 802.11r called “Opportunistic Key Caching”

1. CWSP- PMKSA
2. CWSP- Opportunistic Key Caching-OKC

4 thoughts on “CWSP – PMK Caching & Preauthentication”

Kamal said:

September 11, 2014 at 12:22 pm

Very well explained. Thank you for your efforts

- nayarasi said:
  
  September 11, 2014 at 5:39 pm
  
  Thanks for feedback Kamal 🙂
  
  Rasika
  
- Walter said:
  
  January 17, 2017 at 5:00 pm
  
  Hi Rasika,
  
  Do you know which wireless card or mobile device support pre-authentication? Thanks.
  
  Walter
  
Leonel said:

August 18, 2020 at 9:51 am

hi dear, i have an issue in my network about this, i dont know how to handle it, the log in the WLC is the next one:

%DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client xx:xx:xx:xx:xx Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM