Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
601602603604605606607608609610
9-3
Fast Layer 2 Roaming and Layer 3 Mobility
Overview
Fast Layer 2 Roaming for WPA/WPA2 with 802.1X
WPAs Temporal Key Integrity Protocol (TKIP) (and WPA2’s Counter Mode CBC-
MAC Protocol [CCMP]) derive encryption keys from a unique Pairwise Master Key
(PMK) for each association with a wireless station. Because the PMK is necessary
for the station and the Wireless Edge Services zl Module to communicate, the module
must ensure that it maintains the key for a roaming station. The following mecha-
nisms help it to do so:
Pairwise Master Key (PMK) caching—Enables fast roaming back to an RP
adopted by the Wireless Edge Services zl Module.
PMK caching allows the module to store a station’s PMK after the station
disassociates with one of the module’s RPs. Caching ensures that the key is still
in place if the station again associates with an RP adopted by the module.
Opportunistic Key caching—Facilitates fast roaming to a new RP on the local
Wireless Edge Services zl Module.
Opportunistic key caching enables the module to push PMKs down to all adopted
RPs, so that the correct key is in place if a station roams to a new RP.
These mechanisms are enabled by default, although you can disable them on
particular WLANs. A third mechanism, pre-authentication, completes the require-
ments for fast roaming between RPs adopted by different Wireless Edge Services zl
Modules.
Note Using pre-authentication to enable fast roaming also applies to roaming between an
AP and a Wireless Edge Services zl Module.
Pre-authentication
Roaming becomes more complicated when a station roams from an RP adopted by
one module to an RP adopted by another module.
The complication arises from the authentication enforced in the WLAN. Because the
station has not authenticated to the second module, the second module does not know
whether the station is allowed to connect. 802.1X authentication, in particular, slows
down a roam because it requires several exchanges of messages, usually to a network
RADIUS server.
In addition, as noted above, WPA uses 802.1X authentication to create unique
encryption keys for each station. The second module does not have the correct key
for the station until the station authenticates to it.