Cisco Cisco 2504 Wireless Controller Manual Técnico
!--- The Reassociation response is sent to the client, which
includes the FT Mobility Domain IE.
*dot1xMsgTask: Jun 27 19:25:48.769: ec:85:2f:15:39:32
Finishing FT roaming for mobile ec:85:2f:15:39:32
!--- FT roaming finishes and EAP is skipped (as well as any
other key management handshake), so the client is ready
to pass encrypted data frames with the current AP.
*dot1xMsgTask: Jun 27 19:25:48.769: ec:85:2f:15:39:32
Skipping EAP-Success to mobile ec:85:2f:15:39:32
As shown in the capture, once the Fast BSS Transition is negotiated upon initial association to the
WLAN, the four frames that are used and required for roaming (Open System Authentication from
the client, Open System Authentication from the AP, Reassociation Request, and Reassociation
Response) are basically used as an FT 4-Way handshake in order to derive the new PTK (unicast
encryption key) and GTK (multicast/broadcast encryption key).
WLAN, the four frames that are used and required for roaming (Open System Authentication from
the client, Open System Authentication from the AP, Reassociation Request, and Reassociation
Response) are basically used as an FT 4-Way handshake in order to derive the new PTK (unicast
encryption key) and GTK (multicast/broadcast encryption key).
This substitutes for the 4-Way handshake that normally occurs after these frames are exchanged,
and the FT content and key negotiation on these frames is basically the same whether you use
802.1X/EAP or PSK as the security method. As shown in the capture, the AKM field is the main
difference, which confirms if the client performs FT with PSK or 802.1X. Therefore, it is important
to note that these four frames normally do not have this type of security information for key
negotiation, but only when client FT roams if 802.11r is implemented and negotiated between the
client and the WLAN infrastructure upon initial association.
and the FT content and key negotiation on these frames is basically the same whether you use
802.1X/EAP or PSK as the security method. As shown in the capture, the AKM field is the main
difference, which confirms if the client performs FT with PSK or 802.1X. Therefore, it is important
to note that these four frames normally do not have this type of security information for key
negotiation, but only when client FT roams if 802.11r is implemented and negotiated between the
client and the WLAN infrastructure upon initial association.
Fast BSS Transition Over-the-DS
802.11r allows another implementation of Fast BSS Transition, where the FT roaming is initiated
by the client with the new AP for which the client roams Over-the-DS (Distribution System), and
not Over-the-Air. In this case, FT Action frames are used in order to initiate the key negotiation
instead of the Open System Authentication frames.
by the client with the new AP for which the client roams Over-the-DS (Distribution System), and
not Over-the-Air. In this case, FT Action frames are used in order to initiate the key negotiation
instead of the Open System Authentication frames.
Basically, once the client decides it might roam to a better AP, the client sends an FT Action
Request frame to the original AP where it is currently connected before roaming. The client
indicates the BSSID (MAC address) of the target AP where it wants to FT roam. The original AP
forwards this FT Action Request frame to the target AP over the Distribution System (normally the
wired infrastructure), and the target AP responds to the client with an FT Action Response frame
(also over the DS, so it can finally send it over-the-air to the client). Once this FT Action frame
exchange is successful, the client finishes the FT roaming; the client sends the Reassociation
Request to the target AP (this time over-the-air), and receives a Reassociation Response from the
new AP in order to confirm the roaming and final keys derivation.
Request frame to the original AP where it is currently connected before roaming. The client
indicates the BSSID (MAC address) of the target AP where it wants to FT roam. The original AP
forwards this FT Action Request frame to the target AP over the Distribution System (normally the
wired infrastructure), and the target AP responds to the client with an FT Action Response frame
(also over the DS, so it can finally send it over-the-air to the client). Once this FT Action frame
exchange is successful, the client finishes the FT roaming; the client sends the Reassociation
Request to the target AP (this time over-the-air), and receives a Reassociation Response from the
new AP in order to confirm the roaming and final keys derivation.
In summary, there are four frames to negotiate Fast BSS Transition and derive new encryption
keys, but here the Open System Authentication frames are substituted with the FT Action
Request/Response frames, which are exchanged with the target AP over the Distribution System
with the current AP. This method is also valid for both security methods 802.1X/EAP and PSK, all
supported by the Cisco Wireless LAN Controllers; however, since this Over-the-DS transition is
not supported and implemented by most of the wireless clients in the WiFi industry (and since the
frame exchange and debug outputs are basically the same), examples are not provided in this
document. Instead, this image is used in order to visualize the Fast BSS Transition Over-the-DS:
keys, but here the Open System Authentication frames are substituted with the FT Action
Request/Response frames, which are exchanged with the target AP over the Distribution System
with the current AP. This method is also valid for both security methods 802.1X/EAP and PSK, all
supported by the Cisco Wireless LAN Controllers; however, since this Over-the-DS transition is
not supported and implemented by most of the wireless clients in the WiFi industry (and since the
frame exchange and debug outputs are basically the same), examples are not provided in this
document. Instead, this image is used in order to visualize the Fast BSS Transition Over-the-DS: