Fast roaming in WPA T. Wolniewicz PIONIER
Events causing access-point switching Moving wireless client Metwork card switching in search of better conditions Client roaming initiated by the access-point – requires non-standard solutions like Cisco Client Extensions
What happens during access-point change STA needs to authenticate (delay!!) Pairwise master key (PMK) must be distributed to STA and to the AP – PMK is sent by home Radius to STA as a part of the EAP conversation – PMK is sent to the AP within MS-MPPE-Recv-Key WPA 4-way handshake must be completed between AP and the STA – Both sides verify that the peer knows PMK
Roaming delay Authentication can take several seconds, especially for eduroam guest access WPA hanshake is fast (miliseconds)
802.11i/WPA2 Preauthentication – NAS can authenticate to other APs not breaking association with its current AP PMK caching – Both AP and NAS can keep a cache of PMKs to be reused when reassociation happens WPA2 is supported in Windows, but preauthentication and PMK caching seem to require registry changes
Controller based wireless systems APs cannot function on their own Controller acts as the Radius client Controller knows all PMKs and in principle can perform WPA handshake between a new AP and STA using PMK established during a previous authentication between this STA and another controlled AP (if the STA will accept reusing the PMK for another AP) All controller vendors claim this can be done and the AP change can be done within tens of milliseconds This is what we have been testing
How the test was performed Laptop running Windows XP SP2, SP3 and Vista (SP1) (various wireless cards) – NTP synchronised time just before starting the test – fping – ping implementation allowing us to control ping frequency and response timeout we have been sending packets every 100 ms with 200 ms timeout we have been marking all ping responses with timestamps and writing them to a file – some software showing the associated AP under vista “netsh wlan show interfaces” worked but only for some wireless cards card-specific software was also used Ping logs have been compared with the RADIUS authentication logs Tests have been performed with both local and Surfnet showcase guest account Network security was set to WPA/TKIP and in some cases WPA2/AES was also tested
Additional voice test (only with Cisco) Nokia E65 was used for voice test – fring was used to establish a Skype connection to a PC – PC’s mike was listening to the radio – I have listened to the voice on Nokia manually recording breaks in transmission
Which systems have been tested 3COM WX1200 with AP 8760 Alcatel OmniAccess 4302 with AP 60 and 70 – vendor is coming back to us after some in-house testing – similar tests, with identical results, have been performed by PSNC on an Aruba system Siemens HiPath Wireless C2400 Controller Cisco 2000 Series WLAN Controller: 6 Aps Trapeze Networks MXR-2 with MP-272 – test not complete, but this system will most likely behave the same as 3COM WX
Test results We have not observed a single case of AP roaming which would not require a reauthentication Cisco roaming did require reauthentication but it was extremely fast with a local account (it was observable during voice transmission, but hardly), however during the guest access the break lasted between 1.5 and 3 seconds. WPA2 test for Siemens showed that authentication happened visibly earlier then the AP switch, but still the break in transmission was over 1 second
Vendor reaction So far no vendor has been able to prove that we have been wrong in our tests In some cases vendors have confirmed that they have not been able to produce authentication-less roaming in their labs Some vendors started asking “why do you need this fast roaming anyway?” Some vendors took their equipment back for further testing and we are still waiting for their response
MERU Networks Virtual Cell This is such a unique idea, that it requires separate description In MERU solution all APs use the same channel and the same BSSID. There are no collisions as the controller manages the time when the APs send their frames From the STA point of view there is no roaming - STA sees only one AP The de-facto roaming does not even require WPA handshake and does indeed happen absolutely smoothly
MERU tests We have been running tests with one controller and 15 APs running a production network at Faculty of Mathematics and Informatics. There were some issues due to faulty hardware In general the test passed OK