WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

601

602

603

604

605

606

607

608

609

610

9-4

Fast Layer 2 Roaming and Layer 3 Mobility

Overview

The 802.11i standard (on which WPA is modeled) includes a section on pre-

authentication, a mechanism that speeds up Layer 2 roaming. A station can associate

to only one RP and Wireless Edge Services zl Module at a time. However, the station

can detect beacons from other RPs—including RPs connected to other modules. A

station using pre-authentication listens for such beacons and pre-authenticates to

other modules while it is still connected to its original module.

Because the station is still connected to its original module, its pre-authentication

messages must pass through the original module, onto the wired network, and finally

to the second module. These pre-authentication messages are the Extensible Authen-

tication Protocol (EAP) messages required by 802.1X, and the station addresses them

to the Basic Service Set Identifier (BSSID) of the WLAN on the RP to which it is

pre-authenticating.

Enabling pre-authentication on a Wireless Edge Services zl Module lets the module

listen for EAP messages that arrive on its internal uplink port and respond to those

destined to its RPs. The station authenticates to the second module, and the module

and the station set in place all the encryption keys necessary for WPA, before the

station ever roams. Thus, when the station does roam, it does so very quickly (in less

than 50 milliseconds).

Note The EAP pre-authentication messages do not cross VLAN borders. Therefore, the

two Wireless Edge Services zl Modules must assign the WLAN to the same subnet-

work (VLAN). This requirements means that Layer 3 mobility, described in the next

section, is seamless, but not fast.

Layer 2 Roaming on a Web-Auth WLAN Between Different

Wireless Edge Services zl Modules

Like 802.1X authentication, Web-Auth can complicate a roam between RPs adopted

by different Wireless Edge Services zl Modules. The new module considers the

roaming station a new, unauthenticated station, so it redirects the station’s Web

browser to the login page. Because the user must reauthenticate, the roam is not

seamless.

The best solution for roaming with Web-Auth is to have a single Wireless Edge

Services zl Module adopt all RPs that support the WLAN in question. The RPs can

range over an extensive area: Layer 3 adoption enables them to reach the module

across subnetwork boundaries.

If necessary, however, you can enable seamless Layer 2 roaming for Web-Auth

between different modules. Place all Wireless Edge Services zl Modules that support

the Web-Auth WLAN in the same redundancy group. When a user authenticates to

one module, that module uses the redundancy group communications to transmit the