02-05-2012 04:47 AM - edited 07-03-2021 09:30 PM
Hello all,
I just have a small questions:
roaming among multi-vendor access points - is it supported with WPA(1,2)-PSK security SSIDs?
sure keeping in mind same SSID name and security and non-overlapping channels requirements met.
in my humble understanding it should work! but because I am lacking information about the roaming process I am a bit confused.
The client when tries to roam will send a reassociation message to the new AP. But how the new AP will respond to this reassociation? does the re-association message contain the PSK?
Or the client should send the PSK in authentication message later after association? (this is not porbable coz auth is before association).
so where auth part happens when client join an AP via RE-associatoin? shoudl the new AP contact the old AP to get any information? (This is what I read during my search. it uses IAPP for communiocation between APs, but is this certified by Wi-Fi already?).
and finally if there is a link to illustrates the whole process and message/info exchagne that will be nice.
Thanks.
Amjad
Solved! Go to Solution.
02-05-2012 06:44 AM
With just a PSK it should work. When the client roams it will send its PMK to the AP. So with just a PSK the client should roam fine so long as the key is the same on both, as the AP will check the PMk or the PSK on first association. So long as it matches the client should be fine, unless it forces a DHCP on the roam to the new AP, but even that should be pretty quick.
Steve
Sent from Cisco Technical Support iPad App
02-05-2012 06:53 AM
To piggy back on Steve's comment. In theory it should work, but I would test. More importantly, when a client roams the previuos AP will buffer frames and send to the new ap you associate to. However, as you pointed out IAPP is almost never implemented. You could see a drop with senivitve applications.
The bigger question is what two vendors are you mixing access points with ?
02-05-2012 06:44 AM
With just a PSK it should work. When the client roams it will send its PMK to the AP. So with just a PSK the client should roam fine so long as the key is the same on both, as the AP will check the PMk or the PSK on first association. So long as it matches the client should be fine, unless it forces a DHCP on the roam to the new AP, but even that should be pretty quick.
Steve
Sent from Cisco Technical Support iPad App
02-05-2012 06:53 AM
To piggy back on Steve's comment. In theory it should work, but I would test. More importantly, when a client roams the previuos AP will buffer frames and send to the new ap you associate to. However, as you pointed out IAPP is almost never implemented. You could see a drop with senivitve applications.
The bigger question is what two vendors are you mixing access points with ?
02-05-2012 08:07 AM
Geroge:
Many thanks for your reply as well.
So 802.1F (IAPP) never implemlented? This of course will make some buffered packets got lost!
We have 3 APs actually. it is a home network, not a business one. One of the devices is a wireless router connected to the provider and others are access points that connected to the router through a switch and put in different rooms.
I got a bit curious because there will be packet drop anyway, what happen if I am using autonomous cisco APs (say 1242) for voice application and I am using SSID with WPA/WPA2-PSK?
Will there be packet drops during roaming?
WDS is not needed or useful in this scenario because it is only useful to cache credetnails when authenticatoin server exist. am I right?
02-05-2012 09:33 AM
Forgot to answer vendors:
If I remember correctly one is Huawei and one is speedtouch and forgot the third.
Will confirm about them.
02-07-2012 11:31 PM
George:
Vendors of access poins are:
Linksys, Huawei and Speedtouch.
02-05-2012 08:01 AM
Steve,
Thanks a lot for clarification.
So as it should theoritically work, will there be any difference between WEP or WPA in this case?
you also said "as the AP will check the PMk or the PSK on first association". so does it check PMK or PSK? I think it only checks PMK (which of course derived by PSK) and does not check PSK itself. correct?
02-05-2012 08:22 AM
PSK -- Will always do a 4 way handshake during each roam. The PMK is your PSK. I blogged in detail about this here ... Give it a read..
Yes, you will lose packets and if you arent on the same Layer 2 you will disconnect and re-IP. You voice application can not exceed 150ms. If you do you will hear it.
WDS is more for 802.1X, yes you are correct.
02-05-2012 08:51 AM
it seems nice link and it deserves to be read of course. I'll go thorugh it probably tomorrow.
Thanks a lot.
02-06-2012 04:40 AM
George:
I read your link. It was very useful to me but I am still having concerns:
the image of PEAP traffic exchange (http://tiny.cc/ce1kb) show two phases as "Phase 1". I think they meant the first part is Phase1 and the second part is Phase2, right?
Also, I can see two EAP-Success messages! one before 4-way handshake and another after the handshake!
Which one is the correct EAP-Success message? are there really 2 EAP-Success messages sent to the supplicant?
AFAIK there is only one message (either EAP-Success or EAP-Failure) sent to supplicant! but if my information are not accurate please elaborate.
I could not contact the guy that has the APs of my main problem so I could not know the vendors for them by today. Maybe I'll be able to reach him by tomorrow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide