Wireless Client Roaming

Wireless
1

Hello.

As I’ve mentioned before, some Wireless topics aren’t covered by NW so I tend to create a new thread when talking about them. Is it okay if I create a new thread each time or should I post these questions to a specific wireless thread?

3.3.d Describe the main principles and use cases for Layer 2 and Layer 3 roaming

obrázok
obrázok975×577 82.8 KB

I always thought that roaming works like this - the same SSID/security parameters are configured on the WLC and the APs, the wireless station then associates to the second AP as the user walks from one BSS to another and that the subnet remains the same.

Then the book talks about L3 roaming (this isn’t a snippet from the book, it’s available for free on google)

obrázok
obrázok870×511 52.2 KB

What exactly is this design? Why would there ever be an SSID like Staff that would have different subnets, depending on which AP you associate with? Wouldn’t you just configure your DHCP server to provide one subnet for each WLAN?

This kind of configuration indicates three things

  1. The SSID is the same
  2. The security parameters such as the PSK are the same
  3. The VLAN mapped to that SSID and the subnet are different for both SSIDs

This seems a very unusual way for me to design a wireless network, why would you ever want to do this?

Some more questions,

obrázok
obrázok876×118 6.01 KB

Does DHCP happen all the time or only sometimes or what is it dependent on?

The client authentication process presents the biggest challenge because the dialog between controller and a RADIUS server, in addition to the cryptographic keys that need to be generated and exchanged between the client and an AP or controller, can take a considerable amount of time to accomplish. Cisco controllers offer three techniques to minimize the time and effort spent on key exchanges during roams:

■ Cisco Centralized Key Management (CCKM): One controller maintains a database
of clients and keys on behalf of its APs and provides them to other controllers and
their APs as needed during client roams. CCKM requires Cisco Compatible Extensions
(CCX) support from clients.
■ Key caching: Each client maintains a list of keys used with prior AP associations and
presents them as it roams. The destination AP must be present in this list, which is lim-
ited to eight AP/key entries.
■ 802.11r: This 802.11 amendment addresses fast roaming or fast BSS transition; a client
can cache a portion of the authentication server’s key and present that to future APs as
it roams. The client can also maintain its QoS parameters as it roams

I haven’t covered much wireless security but I understand somewhat the last two, just not the first one. How exactly does CCKM operate?

Each client uses a unique encryption and decryption key, right? This key has to be derived somehow, right? Does the WLC just straight up tell the new AP (the one the client is roaming to) what the key is with CCKM?

Thank you.
David

2

Hello David

Creating a new thread for each one is great, it keeps the topics separate, and we can focus on each particular subject.

This is actually done often, and the reason is that you want to keep your broadcast domains as small as possible. Let me give you a real-world example. I am the network administrator at a cultural center in my city that hosts conferences. We have 63 access points, and conferences can have up to 2500 participants, where each participant may have 1 to 3 wireless devices. So we may have well over 3500 devices connecting to a single SSID throughout the facilities. Placing all of these devices in a single subnet, such as 192.168.0.0/20 would give a range of over 4000 IP addresses. However, this is bad practice, because it’s too many hosts in a single broadcast domain. A more efficient arrangement would be to divide the network into multiple subnets of /24 or /23, but no larger. If you want to keep the SSID the same throughout the topology. You would configure multiple VLANs/subnets mapping to the same SSID. you would do this on a per access point basis however. So as in the second diagram, AP1 would be in one VLAN offering one subnet’s IP addresses, and AP 2 would be in another VLAN offering other subnet’s addresses. Does that make sense?

DHCP renewal will happen if performing Layer 3 roaming, because the IP address of the client must be in the new subnet of the AP to which it connects to. DHCP renewal may also take place if the client does not support 802.11r which is the IEEE standard for fast roaming. In this case, the full authentication and association process is performed. Another case where DHCP may be triggered is if the WLAN has been configured to require this. There is an option on the WLC to require DHCP renewal when roaming. Otherwise, DHCP will not attempt to renew the IP address.

CCKM is a fast secure roaming method used in wireless LANs to minimize the authentication delay when a client roams from one AP to another. It allows the client to roam without reauthenticating fully, which helps with latency-sensitive applications like voice over WLAN. With CCKM, the WLC maintains a cache of client keys. When the client roams, the new AP requests the key info from the WLC. The client and new AP skip the full 802.1X process and simply rekey securely using pre-established material. This makes the roam nearly seamless and super fast — usually under 50ms. This however requires that the client device supports CCKM.

I hope this has been helpful!

Laz