Fast Roaming for Wireless Clients

Instant supports the following features that enable fast roaming of clients:

Opportunistic Key Caching

Instant supports OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. -based roaming. In OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. -based roaming, the Instant AP stores one PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. per client, which is derived from the last 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication completed by the client in the network. The PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache is used to identify authenticated clients when it roams to a new Instant AP. This allows faster roaming of clients between the Instant APs in a cluster, without requiring a complete 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The ageout period of client entries in the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache is 8 hours, after which the client entry is deleted and the client must re-authenticate into the network.

OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. roaming (when configured in the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Authentication profile) is supported on WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. clients. If the wireless client (the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. supplicant) does not support this feature, a complete 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is required whenever a client roams to a new Instant AP.

Configuring an Instant AP for OKC Roaming

The following procedure describes how to enable OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. roaming on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. by using the Instant WebUI:

  1. Navigate to Configuration > Networks page
  2. Under Networks select the network you want to configure and click Edit.
  3. Select the Security tab.
  4. In the Security Level drop-down list box, select Enterprise.
  5. In the Key management  drop-down list box, select WPA2 Enterprise or Both (WPA2 & WPA).
  6. Under Fast Roaming, toggle the Opportunistic Key Caching (OKC) switch to enable.
  7. Click Next and then Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. roaming on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile "<name>")# opmode {wpa2-aes| wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}

(Instant AP)(SSID Profile "<name>")# okc

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command disables OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. roaming on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile "<name>")# opmode {wpa2-aes|wpa-tkip,wpa-aes,wpa2-tkip,wpa2-aes}

(Instant AP)(SSID Profile "<name>")# no okc

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the client entries in the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache:

(Instant AP)# show ap pmkcache

Configuring the Ageout Time for PMK Cache Entries

The PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache stores the details of connected clients for authenticating clients roaming between different APs. By default, the client details in the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache is stored for about 8 hours after the client disconnects or gets timed out from the network. However, client entries in the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache can be deleted immediately after a client disconnects or gets timed out from the network. This is configured in the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile by enabling the delete-pmkcache parameter using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command deletes the client details in the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  cache immediately after client disconnection or timeout:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile "<name>")# delete-pmkcache

Fast BSS Transition (802.11r Roaming)

802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. is a roaming standard defined by IEEE Institute of Electrical and Electronics Engineers.. When enabled, 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. reduces roaming delay by pre-authenticating clients with multiple target Instant APs before a client roams to an Instant AP. With 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. implementation, clients pre-authenticate with multiple Instant APs in a cluster.

As part of the 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. implementation, Instant supports the Fast BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. Transition protocol. The Fast BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. Transition mechanism reduces client roaming delay when a client transitions from one BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. to another within the same cluster. This minimizes the time required to resume data connectivity when a BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition happens.

Configuring an Instant AP for 802.11r support

The following procedure describes how to configure 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. support for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. by using the Instant WebUI:

  1. Navigate to Configuration > Networks page
  2. Under Networks select the network you want to configure and click Edit.
  3. Select the Security tab.
  4. Under Fast Roaming, toggle the 802.11r switch to enable.
  5. Click Next and then Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# dot11r

Mobility Domain Identifier

In a network of standalone Instant APs within the same management VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming does not work. This is because the mobility domain identifiers do not match across Instant APs. They are auto-generated based on a virtual controller key. Instant introduces a an option for users to set a mobility domain identifier for 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. For standalone Instant APs in the same management VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming works only when the mobility domain identifier is configured with the same value.

You can configure a mobility domain identifier by using the Instant WebUI:

  1. Navigate to Configuration > Networks page
  2. Under Networks select the network you want to configure and click Edit.
  3. Select the Security tab.
  4. Under Fast Roaming, toggle the 802.11r switch to enable.
  5. In the MDID text box, enter the mobility domain identifier.
  6. Click Next and then Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables MDID on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# mdid <Mobility domain ID>

Radio Resource Management (802.11k)

The 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. standard provides mechanisms for Instant APs and clients to dynamically measure the available radio resources and enables stations to query and manage their radio resources. In an 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN.-enabled network, Instant APs and clients can share radio and link measurement information, neighbor reports, and beacon reports with each other. This allows the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network infrastructural elements and clients to assess resources and make optimal mobility decisions to ensure QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. and seamless continuity.

Instant supports the following radio resource management information elements with 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. support enabled:

Beacon Report Requests and Probe Responses

The beacon request frame is sent by an Instant AP to request a client to report the list of beacons detected by the client on all channels.

  • The beacon request is sent using the radio measurement request action frame.
  • It is sent only to those clients that have the capability to generate beacon reports. The clients indicate their capabilities through the RRM enabled capabilities IE sent in the association request frames.
  • By default, the beacon request frames are sent at a periodicity of 60 seconds.

Configuring a WLAN SSID for 802.11k Support

The following procedure describes how to enable 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. support on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. by using the Instant WebUI:

  1. Navigate to Configuration > Networks page
  2. Under Networks select the network you want to configure and click Edit.
  3. Select the Security tab.
  4. Under Fast Roaming, toggle the 802.11k switch to enable.
  5. Click Next and then Finish.

To allow the Instant AP and clients to exchange neighbor reports, ensure that Client Match is enabled through RF > ARM > Client match > Enabled in the WebUI or by executing the client-match command in the arm configuration sub-command mode.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables the 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# dot11k

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command is used to view the beacon report details:

(Instant AP)# show ap dot11k-beacon-report <mac>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command is used to view the neighbor details:

(Instant AP)# show ap dot11k-nbrs

Example

(Instant AP)(config)# wlan ssid-profile dot11k-profile

(Instant AP)(SSID Profile "dot11k-profile")# dot11k

BSS Transition Management (802.11v)

The 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. standard provides Wireless Network Management enhancements to the IEEE Institute of Electrical and Electronics Engineers. 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and PHY. It extends radio measurements to define mechanisms for wireless network management of stations including BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition management.

Instant APs support the generation of the BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition management request frames to the 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. clients when a suitable Instant AP is identified for a client through Client Match.

Configuring a WLAN SSID for 802.11v Support

The following procedure describes how to enable 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. support on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. by using the Instant WebUI:

  1. Navigate to Configuration > Networks page
  2. Under Networks select the network you want to configure and click Edit.
  3. Select the Security tab.
  4. Under Fast Roaming, toggle the 802.11v switch to enable.
  5. Click Next and then Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables the 802.11v 802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# dot11v

Example

(Instant AP)(config)# wlan ssid-profile dot11v-profile

(Instant AP)(SSID Profile "dot11v-profile")# dot11v