130 likes | 135 Vues
Fast roaming in WPA. T. Wolniewicz PIONIER. Events causing access-point switchin g. M oving wireless client M etwork card switching in search of better conditions C lient roaming initiated by the access-point requires non-standard solutions like Cisco Client Extensions.
E N D
Fast roaming in WPA T. Wolniewicz PIONIER
Events causing access-point switching • Moving wireless client • Metwork card switching in search of better conditions • Client roaming initiated by the access-point • requires non-standard solutions like Cisco Client Extensions
What happens during access-point change • STA needs to authenticate (delay!!) • Pairwise master key (PMK) must be distributed to STA and to the AP • PMK is sent by home Radius to STA as a part of the EAP conversation • PMK is sent to the AP within MS-MPPE-Recv-Key • WPA 4-way handshake must be completed between AP and the STA • Both sides verify that the peer knows PMK
Roaming delay • Authentication can take several seconds, especially for eduroam guest access • WPA hanshake is fast (miliseconds)
802.11i/WPA2 • Preauthentication • NAS can authenticate to other APs not breaking association with its current AP • PMK caching • Both AP and NAS can keep a cache of PMKs to be reused when reassociation happens • WPA2 is supported in Windows, but preauthentication and PMK caching seem to require registry changes
Controller based wireless systems • APs cannot function on their own • Controller acts as the Radius client • Controller knows all PMKs and in principle can perform WPA handshake between a new AP and STA using PMK established during a previous authentication between this STA and another controlled AP (if the STA will accept reusing the PMK for another AP) • All controller vendors claim this can be done and the AP change can be done within tens of milliseconds • This is what we have been testing
How the test was performed • Laptop running Windows XP SP2, SP3 and Vista (SP1) (various wireless cards) • NTP synchronised time just before starting the test • fping – ping implementation allowing us to control ping frequency and response timeout • we have been sending packets every 100 ms with 200 ms timeout • we have been marking all ping responses with timestamps and writing them to a file • some software showing the associated AP • under vista “netsh wlan show interfaces” worked but only for some wireless cards • card-specific software was also used • Ping logs have been compared with the RADIUS authentication logs • Tests have been performed with both local and Surfnet showcase guest account • Network security was set to WPA/TKIP and in some cases WPA2/AES was also tested
Additional voice test (only with Cisco) • Nokia E65 was used for voice test • fring was used to establish a Skype connection to a PC • PC’s mike was listening to the radio • I have listened to the voice on Nokia manually recording breaks in transmission
Which systems have been tested • 3COM WX1200 with AP 8760 • Alcatel OmniAccess 4302 with AP 60 and 70 • vendor is coming back to us after some in-house testing • similar tests, with identical results, have been performed by PSNC on an Aruba system • Siemens HiPath Wireless C2400 Controller • Cisco 2000 Series WLAN Controller: 6 Aps • Trapeze Networks MXR-2 with MP-272 • test not complete, but this system will most likely behave the same as 3COM WX
Test results • We have not observed a single case of AP roaming which would not require a reauthentication • Cisco roaming did require reauthentication but it was extremely fast with a local account (it was observable during voice transmission, but hardly), however during the guest access the break lasted between 1.5 and 3 seconds. • WPA2 test for Siemens showed that authentication happened visibly earlier then the AP switch, but still the break in transmission was over 1 second
Vendor reaction • So far no vendor has been able to prove that we have been wrong in our tests • In some cases vendors have confirmed that they have not been able to produce authentication-less roaming in their labs • Some vendors started asking “why do you need this fast roaming anyway?” • Some vendors took their equipment back for further testing and we are still waiting for their response
MERU Networks Virtual Cell • This is such a unique idea, that it requires separate description • In MERU solution all APs use the same channel and the same BSSID. • There are no collisions as the controller manages the time when the APs send their frames • From the STA point of view there is no roaming - STA sees only one AP • The de-facto roaming does not even require WPA handshake and does indeed happen absolutely smoothly
MERU tests • We have been running tests with one controller and 15 APs running a production network at Faculty of Mathematics and Informatics. • There were some issues due to faulty hardware • In general the test passed OK