Pre-authentication is a feature that allows a mobile device to authenticate with other Cisco Access Points (APs) that it may roam to in the future. To achieve this, the mobile station authentication frames are forwarded by the AP to the target AP, over the wired network. The first time a client associates to the network, the client must complete a full authentication. However, if the client knows where it will roam, the client can pre-authenticate to a new AP.
Pre-authentication is similar to IEEE 802.1X. The client performs an authentication through the new AP, which acts as the authenticator. The pre-authentication packets traverse through the existing AP to the new AP. Once the authentication is successful, the pre-authentication completes with a PMK security association established between the client and the new AP.
The fact that mobile stations can authenticate with several APs at any given time creates a considerable load on the authentication server. Also, pre-authentication is performed at the IEEE 802 layer; it does not work across IP subnets. For these reasons, the Cisco Aironet products and Airespace WLAN systems do not support pre-authentication.
Technical product specification / features
WLAN adapters (wireless card) / ACU (Aironet Client Utility)