Key Management Service Workflow

Key Management Service within HPE Aruba Networking Wireless Operating System 10 plays a pivotal role to ensure seamless and secure operation of wireless networks.

The following diagram below provides a visual representation of the workflow of the KMS and information on KMS's essential role in supporting seamless wireless roaming and enhancing network efficiency.

Figure 1  KMS workflow

The following steps describe the KMS workflow:

  1. A wireless user initiates association with an Access Point (AP1) and undergoes dot1x authentication, resulting in the acquisition of either the Pairwise Master Key (PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ) or the derivation of the R0 key from the master session key, depending on whether the 802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. protocol is enabled.

  2. AP1 transmits the user's station record to the KMS located within HPE Aruba Networking Central. This comprehensive station record encompasses vital user-specific details, including the PMK or R0 key, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID, user role, and machine authentication state, if activated.

  3. On receipt of the user's station record, the KMS stores this information in its cache and simultaneously retrieves the list of neighboring APs associated with AP1 through the AirMatch service.

  4. KMS leverages the list of neighboring APs for AP1, and accesses the cached user station record, including the PMK or R0 key. If the network employs the 802.11r fast roaming protocol, the KMS proceeds to generate R1 keys for each of the neighboring APs. However, if the Opportunistic Key Caching (OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. ) roaming protocol is utilized, the R1 key generation step is omitted.

  5. To ensure seamless roaming for the user, the KMS disseminates the user's station record to all neighboring APs connected to AP1. Consequently, when the user later transitions to AP2 or AP3, a full authentication process is unnecessary. AP2 or AP3 already possess the user's PMK or R1 key, allowing for streamlined four-key exchanges between the user and the respective AP, simplifying and expediting the roaming process.