You are here: Wireless Network Profiles > Configuring Support for 802.11r and OKC
Previous TopicNext Topic

Configuring Support for Fast Roaming of Clients

Instant supports the following features that enable fast roaming of clients:

802.11r Roaming
Opportunistic Key Caching

802.11r Roaming

802.11r is a roaming standard defined by IEEE. When enabled, 802.11r reduces roaming delay by pre-authenticating clients with multiple target APs before a client roams to an AP. With 802.11r implementation, clients pre-authenticate with multiple APs in a cluster.

As part of the 802.11r implementation, Instant supports the Fast BSS Transition protocol. The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster. This minimizes the time required to resume data connectivity when a BSS transition happens.

 

Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does not support 802.11r standard, it falls back to the normal WPA2 authentication method.

Configuring an IAP for 802.11r support

You can configure 802.11r support for a WLAN SSID by using Instant UI or CLI.

In the Instant UI

1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit).
2. Click the Security tab.
3. Slide to Enterprise, Personal or Open security level. On selecting a security level, the authentication options applicable to the corresponding network are displayed. The following figure shows the Enterprise security level details.

Figure 1  WLAN Security Settings—Enterprise Tab

4. Set 802.11r roaming to Enabled. 802.11r roaming can also be enabled for Personal and Open security levels.
5. Click Next and then click Finish.

In the CLI

To enable 802.11r roaming on an enterprise WLAN SSID:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes}

(Instant Access Point)(SSID Profile <name>)# dot11r

(Instant Access Point)(config)# end

(Instant Access Point)# commit apply

To enable 802.11r roaming for personal security settings:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-psk-aes| wpa-tkip| wpa-psk-tkip|wpa-tkip,wpa2-aes| wpa-psk-tkip,wpa2-psk-aes}

(Instant Access Point)(SSID Profile <name>)# dot11r

(Instant Access Point)(config)# end

(Instant Access Point)# commit apply

To enable 802.11r roaming for open security settings:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name>)# opmode {opensystem}

(Instant Access Point)(SSID Profile <name>)# dot11r

(Instant Access Point)(config)# end

(Instant Access Point)# commit apply

Opportunistic Key Caching

Instant now supports opportunistic key caching (OKC) based roaming. In the OKC based roaming, the AP stores one pairwise master key (PMK) per client, which is derived from last 802.1x authentication completed by the client in the network. The cached PMK is used when a client roams to a new AP. This allows faster roaming of clients between the IAPs in a cluster, without requiring a complete 802.1X authentication.

 

OKC roaming (when configured in the 802.1x Authentication profile) is supported on WPA2 clients. If the wireless client (the 802.1X supplicant) does not support this feature, a complete 802.1X authentication is required whenever a client roams to a new AP.

Configuring an IAP for OKC Roaming

You can enable OKC roaming for WLAN SSID by using Instant UI or CLI.

In the Instant UI

1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit).
2. Click the Security tab.
3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed.

4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list. When any of these encryption types is selected, Opportunistic Key Caching (OKC) is enabled by default.
5. Click Next and then click Finish.

In the CLI

To disable OKC roaming on a WLAN SSID:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}

(Instant Access Point)(SSID Profile <name>)# okc-disable

(Instant Access Point)(config)# end

(Instant Access Point)# commit apply

To enable OKC roaming on a WLAN SSID:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name>)# opmode {wpa2-aes| wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes|}

(Instant Access Point)(SSID Profile <name>)# no okc-disable

(Instant Access Point)(config)# end

(Instant Access Point)# commit apply