Instant supports the following features that enable fast roaming of clients:
| 802.11r Roaming |
| Opportunistic Key Caching |
802.11r is a roaming standard defined by IEEE. When enabled, 802.11r reduces roaming delay by pre-authenticating clients with multiple target APs before a client roams to an AP. With 802.11r implementation, clients pre-authenticate with multiple APs in a cluster.
As part of the 802.11r implementation, Instant supports the Fast BSS Transition protocol. The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster. This minimizes the time required to resume data connectivity when a BSS transition happens.
|
Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does not support 802.11r standard, it falls back to the normal WPA2 authentication method. |
You can configure 802.11r support for a WLAN SSID by using Instant UI or CLI.
1. | Navigate to the WLAN wizard (click Network> or > Select the WLAN SSID> ). |
2. | Click the | tab.
3. | Slide to | , or security level. On selecting a security level, the authentication options applicable to the corresponding network are displayed. The following figure shows the security level details.
Figure 1 WLAN Security Settings—Enterprise Tab
4. | Set | to . 802.11r roaming can also be enabled for and security levels.
5. | Click | and then click .
To enable 802.11r roaming on an enterprise WLAN SSID:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes}
(Instant Access Point)(SSID Profile <name>)# dot11r
(Instant Access Point)(config)# end
(Instant Access Point)# commit apply
To enable 802.11r roaming for personal security settings:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-psk-aes| wpa-tkip| wpa-psk-tkip|wpa-tkip,wpa2-aes| wpa-psk-tkip,wpa2-psk-aes}
(Instant Access Point)(SSID Profile <name>)# dot11r
(Instant Access Point)(config)# end
(Instant Access Point)# commit apply
To enable 802.11r roaming for open security settings:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# opmode {opensystem}
(Instant Access Point)(SSID Profile <name>)# dot11r
(Instant Access Point)(config)# end
(Instant Access Point)# commit apply
Instant now supports opportunistic key caching (OKC) based roaming. In the OKC based roaming, the AP stores one pairwise master key (PMK) per client, which is derived from last 802.1x authentication completed by the client in the network. The cached PMK is used when a client roams to a new AP. This allows faster roaming of clients between the IAPs in a cluster, without requiring a complete 802.1X authentication.
|
OKC roaming (when configured in the 802.1x Authentication profile) is supported on WPA2 clients. If the wireless client (the 802.1X supplicant) does not support this feature, a complete 802.1X authentication is required whenever a client roams to a new AP. |
You can enable OKC roaming for WLAN SSID by using Instant UI or CLI.
1. | Navigate to the WLAN wizard (click Network> or > Select the WLAN SSID> ). |
2. | Click the | tab.
3. | Slide to | security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed.
4. | Select the Key management drop-down list. When any of these encryption types is selected, (OKC) is enabled by default. | or option from the
5. | Click | and then click .
To disable OKC roaming on a WLAN SSID:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}
(Instant Access Point)(SSID Profile <name>)# okc-disable
(Instant Access Point)(config)# end
(Instant Access Point)# commit apply
To enable OKC roaming on a WLAN SSID:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes| wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes|}
(Instant Access Point)(SSID Profile <name>)# no okc-disable
(Instant Access Point)(config)# end
(Instant Access Point)# commit apply