Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6509
Views
5
Helpful
9
Replies

Roaming among multi-vendor APs with WPA-PSK

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-05-2012 04:47 AM - edited ‎07-03-2021 09:30 PM

Hello all,

I just have a small questions:

roaming among multi-vendor access points - is it supported with WPA(1,2)-PSK security SSIDs?
sure keeping in mind same SSID name and security and non-overlapping channels requirements met.

in my humble understanding it should work! but because I am lacking information about the roaming process I am a bit confused.

The client when tries to roam will send a reassociation message to the new AP. But how the new AP will respond to this reassociation? does the re-association message contain the PSK?

Or the client should send the PSK in authentication message later after association? (this is not porbable coz auth is before association).

so where auth part happens when client join an AP via RE-associatoin? shoudl the new AP contact the old AP to get any information? (This is what I read during my search. it uses IAPP for communiocation between APs, but is this certified by Wi-Fi already?).

and finally if there is a link to illustrates the whole process and message/info exchagne that will be nice.

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎02-05-2012 06:44 AM

With just a PSK it should work. When the client roams it will send its PMK to the AP. So with just a PSK the client should roam fine so long as the key is the same on both, as the AP will check the PMk or the PSK on first association. So long as it matches the client should be fine, unless it forces a DHCP on the roam to the new AP, but even that should be pretty quick.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎02-05-2012 06:53 AM

To piggy back on Steve's comment. In theory it should work, but I would test. More importantly, when a client roams the previuos AP will buffer frames and send to the new ap you associate to. However, as you pointed out IAPP is almost never implemented. You could see a drop with senivitve applications.

The bigger question is what two vendors are you mixing access points with ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎02-05-2012 06:44 AM

With just a PSK it should work. When the client roams it will send its PMK to the AP. So with just a PSK the client should roam fine so long as the key is the same on both, as the AP will check the PMk or the PSK on first association. So long as it matches the client should be fine, unless it forces a DHCP on the roam to the new AP, but even that should be pretty quick.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎02-05-2012 06:53 AM

To piggy back on Steve's comment. In theory it should work, but I would test. More importantly, when a client roams the previuos AP will buffer frames and send to the new ap you associate to. However, as you pointed out IAPP is almost never implemented. You could see a drop with senivitve applications.

The bigger question is what two vendors are you mixing access points with ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-05-2012 08:07 AM

Geroge:
Many thanks for your reply as well.

So 802.1F (IAPP) never implemlented? This of course will make some buffered packets got lost!

We have 3 APs actually. it is a home network, not a business one. One of the devices is a wireless router connected to the provider and others are access points that connected to the router through a switch and put in different rooms.

I got a bit curious because there will be packet drop anyway, what happen if I am using autonomous cisco APs (say 1242) for voice application and I am using SSID with WPA/WPA2-PSK?

Will there be packet drops during roaming?
WDS is not needed or useful in this scenario because it is only useful to cache credetnails when authenticatoin server exist. am I right?

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-05-2012 09:33 AM

Forgot to answer vendors:
If I remember correctly one is Huawei and one is speedtouch and forgot the third.
Will confirm about them.

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-07-2012 11:31 PM

George:
Vendors of access poins are:
Linksys, Huawei and Speedtouch.

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎02-05-2012 08:01 AM

Steve,

Thanks a lot for clarification.

So as it should theoritically work, will there be any difference between WEP or WPA in this case?

you also said "as the AP will check the PMk or the PSK on first association". so does it check PMK or PSK? I think it only checks PMK (which of course derived by PSK) and does not check PSK itself. correct?

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Amjad Abdullah

‎02-05-2012 08:22 AM

PSK -- Will always do a 4 way handshake during each roam. The PMK is your PSK. I blogged in detail about this here ... Give it a read..

http://www.my80211.com/8021x/2010/9/10/george-stefanick-cwsp-journey-chapter-5-keys-post4-9102010.html

Yes, you will lose packets and if you arent on the same Layer 2 you will disconnect and re-IP. You voice application can not exceed 150ms. If you do you will hear it.

WDS is more for 802.1X, yes you are correct.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-05-2012 08:51 AM

it seems nice link and it deserves to be read of course. I'll go thorugh it probably tomorrow.
Thanks a lot.

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-06-2012 04:40 AM

George:

I read your link. It was very useful to me but I am still having concerns:
the image of PEAP traffic exchange (http://tiny.cc/ce1kb) show two phases as "Phase 1". I think they meant the first part is Phase1 and the second part is Phase2, right?

Also, I can see two EAP-Success messages! one before 4-way handshake and another after the handshake!

Which one is the correct EAP-Success message? are there really 2 EAP-Success messages sent to the supplicant?
AFAIK there is only one message (either EAP-Success or EAP-Failure) sent to supplicant! but if my information are not accurate please elaborate.

I could not contact the guy that has the APs of my main problem so I could not know the vendors for them by today. Maybe I'll be able to reach him by tomorrow.

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card