Fast roaming in WPA T Wolniewicz PIONIER

Fast roaming in WPA T. Wolniewicz PIONIER

Events causing access-point switching • Moving wireless client • Metwork card switching in search of better conditions • Client roaming initiated by the access-point – requires non-standard solutions like Cisco Client Extensions

What happens during access-point change • STA needs to authenticate (delay!!) • Pairwise master key (PMK) must be distributed to STA and to the AP – PMK is sent by home Radius to STA as a part of the EAP conversation – PMK is sent to the AP within MS-MPPE-Recv-Key • WPA 4 -way handshake must be completed between AP and the STA – Both sides verify that the peer knows PMK

Roaming delay • Authentication can take several seconds, especially for eduroam guest access • WPA hanshake is fast (miliseconds)

802. 11 i/WPA 2 • Preauthentication – NAS can authenticate to other APs not breaking association with its current AP • PMK caching – Both AP and NAS can keep a cache of PMKs to be reused when reassociation happens • WPA 2 is supported in Windows, but preauthentication and PMK caching seem to require registry changes

Controller based wireless systems • APs cannot function on their own • Controller acts as the Radius client • Controller knows all PMKs and in principle can perform WPA handshake between a new AP and STA using PMK established during a previous authentication between this STA and another controlled AP (if the STA will accept reusing the PMK for another AP) • All controller vendors claim this can be done and the AP change can be done within tens of milliseconds • This is what we have been testing

How the test was performed • Laptop running Windows XP SP 2, SP 3 and Vista (SP 1) (various wireless cards) – NTP synchronised time just before starting the test – fping – ping implementation allowing us to control ping frequency and response timeout • we have been sending packets every 100 ms with 200 ms timeout • we have been marking all ping responses with timestamps and writing them to a file – some software showing the associated AP • under vista “netsh wlan show interfaces” worked but only for some wireless cards • card-specific software was also used • Ping logs have been compared with the RADIUS authentication logs • Tests have been performed with both local and Surfnet showcase guest account • Network security was set to WPA/TKIP and in some cases WPA 2/AES was also tested

Additional voice test (only with Cisco) • Nokia E 65 was used for voice test – fring was used to establish a Skype connection to a PC – PC’s mike was listening to the radio – I have listened to the voice on Nokia manually recording breaks in transmission

Which systems have been tested • 3 COM WX 1200 with AP 8760 • Alcatel Omni. Access 4302 with AP 60 and 70 – vendor is coming back to us after some in-house testing – similar tests, with identical results, have been performed by PSNC on an Aruba system • Siemens Hi. Path Wireless C 2400 Controller • Cisco 2000 Series WLAN Controller: 6 Aps • Trapeze Networks MXR-2 with MP-272 – test not complete, but this system will most likely behave the same as 3 COM WX

Test results • We have not observed a single case of AP roaming which would not require a reauthentication • Cisco roaming did require reauthentication but it was extremely fast with a local account (it was observable during voice transmission, but hardly), however during the guest access the break lasted between 1. 5 and 3 seconds. • WPA 2 test for Siemens showed that authentication happened visibly earlier then the AP switch, but still the break in transmission was over 1 second

Vendor reaction • So far no vendor has been able to prove that we have been wrong in our tests • In some cases vendors have confirmed that they have not been able to produce authentication-less roaming in their labs • Some vendors started asking “why do you need this fast roaming anyway? ” • Some vendors took their equipment back for further testing and we are still waiting for their response

MERU Networks Virtual Cell • This is such a unique idea, that it requires separate description • In MERU solution all APs use the same channel and the same BSSID. • There are no collisions as the controller manages the time when the APs send their frames • From the STA point of view there is no roaming - STA sees only one AP • The de-facto roaming does not even require WPA handshake and does indeed happen absolutely smoothly

MERU tests • We have been running tests with one controller and 15 APs running a production network at Faculty of Mathematics and Informatics. • There were some issues due to faulty hardware • In general the test passed OK