> >>The supplicant needs to authenticate anytime it wishes to get L2 access. > >>It is an extention of the Authenticate & Associate MAC processes. > >Why the authentication is done every single time L2 handoff occurs? > >Usually for 802.11b, I can cover a building > >floor with about two or three APs and for 802.11a each AP covers even a > >smaller area. This means that > >I will have to authenticate even if I move "from one room to another" > >(exageration!). > >This to me sounds like an uneccesary overhead. > > There is a fundamental authentication/security problem you are glossing over: > How does the AP you roam to know who you are? > How does one AP know you authenticated against another? > How does the new AP know the session key you were using with the prior one? > If it doesn't how to make a new one? > How does that AP trust the other AP? > How does it know you are really the same station? > and not some hacker spoofing the same MAC address? > > Answer those questions throughly and you will be on the way to solving the > roaming problem. > The assumption made here is that the authenticator is the AP. I believe things would be much easier and still safe if one authenticator would control a group of APs and not just be one itself. This group of APs could be a subnet or a smaller group, but at least within this group the handoff would be much faster. The authenticator would act in the same way except that it would do the job for a group of APs and not for just one. If this would be done than all the questions above would have their answers. What is your opinion?
Andrea > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html