Fascinating discussion .. thanks for all the comments and
suggestions.
Clearly AP transitions in an authenticated WLAN are very
costly. We'll continue tuning the AP deployment to see if
we can minimize them (as Julian is doing on his campus). But
judging from this thread, a large part of the problem of
excessive transitions may be attributable to the widespread
existence of poorly implemented wireless NICs and drivers.
If that's the case, this seems to be a difficult problem
to fix in the near term. And until there is a widespread fix,
I'm now thinking we may have to redesign our authenticated
WLANs for far more efficient roaming (eg. short circuiting
the heavyweight authentication as much as possible).
I'll list some techniques I can think of:
- Fast reconnect (EAP method specific):
eg. TLS session resumption for methods that use TLS
(EAP-TLS/TTLS/PEAP etc). Incidentally, our RADIUS
server claims to have this turned on by default, but
I have yet to see any evidence that it's being used,
so perhaps the client software doesn't support it.
- PMK caching
Both AP and station cache the PMK that was derived from
prior EAP authentications and can reuse that if they
reassociate in the near future. This completely short
circuits the EAP/802.1X authentication, so probably has
great performance. On the other hand it has implications
for accurate centralized user accounting - civil libertarians
and privacy advocates would call that a feature though :-)
- Fast handoff:
By this I mean schemes where, during reassociation,
the currently associated AP transfers the security context
of the session to the target AP. IAPP and the various IAPP-
like vendor proprietary schemes fall into this category.
It isn't clear to me how these fast handoff schemes interoperate
with the wireless security standard (ie. WPA and 802.11i),
where each new STA,AP pair would need a fresh PMK to establish
a secure association. And obtaining a fresh PMK requires a full
EAP authentication between the client and the RADIUS server.
- 802.11r
Since this spec is still under development, I doubt this
is a practical option. But I think the idea is that stations
pre-authenticate themselves to candidate APs in the vicinity.
- WLAN switches that can short circuit the authentication to the
back-end EAP server, and enable security context transfer
between their managed APs in some fashion.
Any other notable schemes I'm missing? Which of these is actually
deployable today, given availability of working implementations?
Feel free to name specific vendors.
Also, let me know if I'm out in left field with this thinking ..
MERU was recommended several times in this thread. Would anyone
care to provide a brief technical sketch of their architecture?
Or provide a link to a technical white paper with the details?
--Shumon.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
