6 - 16 WiNG 5.5 Access Point System Reference Guide
9. Define the Fast Roaming configuration used only with 802.1x EAP-WPA/WPA2 authentication.
Using 802.11i can speed up the roaming process from one access point to another. Instead of doing a complete 802.1x
authentication each time a client roams between access points, 802.11i allows a client to re-use previous PMK
authentication credentials and perform a four-way handshake. This speeds up the roaming process. In addition to reusing
PMKs on previously visited access points, Opportunistic Key Caching allows multiple access points to share PMKs
amongst themselves. This allows a client to roam to an access point it has not previously visited and reuse a PMK from
another access point to skip 802.1x authentication.
10. Set the following Advanced settings for the WPA/WPA2-TKIP encryption scheme:
NOTE: Fast Roaming is available only when the authentication is EAP or EAP-PSK and
the selected encryption is either WPA/WPA2-TKIP or WPA-CCMP.
Pre-Authentication Selecting this option enables an associated client to carry out an 802.1x authentication
with another access point before it roams to it. This enables a roaming client to send and
receive data sooner by not having to conduct an 802.1x authentication after roaming.
With pre-authentication, a client can perform an 802.1X authentication with other
detected access points while still connected to its current access point. When a device
roams to a neighboring access point, the device is already authenticated on the access
point, thus providing faster re-association.
Pairwise Master Key
(PMK) Caching
Pairwise Master Key (PMK) Caching is a technique for sidestepping the need to
re-establish security each time a client roams to a different switch. Using PMK caching,
clients and switches cache the results of 802.1X authentications. Therefore, access is
much faster when a client roams back to a switch to which the client is already
authenticated.
Opportunistic Key
Caching
This option enables the access point to use a PMK derived with a client on one access
point, with the same client when it roams over to another access point. Upon roaming,
the client does not have to do 802.1x authentication and can start sending and receiving
data sooner.
TKIP Countermeasure
Hold Time
The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP
countermeasures have been invoked on the WLAN. Use the drop-down menu to define a
value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting
is 60 seconds.
Exclude WPA2-TKIP Select this option to advertise and enable support for only WPA-TKIP. This option can be
used if certain older clients are not compatible with newer WPA2-TKIP information
elements. Enabling this option allows backwards compatibility for clients that support
WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP. Motorola Solutions
recommends enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate
in a WLAN populated by WPA2-CCMP enabled clients. This feature is disabled by default.
Use SHA256 Select this option to enable SHA-256 authentication key management suite. This suite
consists of a set of algorithms for key agreement, key derivation, key wrapping, and
content encryption and provide a minimum cryptographic security level of 128 bits.
To Next Page
Loading...
