Fascinating discussion .. thanks for all the comments and suggestions. Clearly AP transitions in an authenticated WLAN are very costly. We'll continue tuning the AP deployment to see if we can minimize them (as Julian is doing on his campus). But judging from this thread, a large part of the problem of excessive transitions may be attributable to the widespread existence of poorly implemented wireless NICs and drivers.
If that's the case, this seems to be a difficult problem to fix in the near term. And until there is a widespread fix, I'm now thinking we may have to redesign our authenticated WLANs for far more efficient roaming (eg. short circuiting the heavyweight authentication as much as possible). I'll list some techniques I can think of: - Fast reconnect (EAP method specific): eg. TLS session resumption for methods that use TLS (EAP-TLS/TTLS/PEAP etc). Incidentally, our RADIUS server claims to have this turned on by default, but I have yet to see any evidence that it's being used, so perhaps the client software doesn't support it. - PMK caching Both AP and station cache the PMK that was derived from prior EAP authentications and can reuse that if they reassociate in the near future. This completely short circuits the EAP/802.1X authentication, so probably has great performance. On the other hand it has implications for accurate centralized user accounting - civil libertarians and privacy advocates would call that a feature though :-) - Fast handoff: By this I mean schemes where, during reassociation, the currently associated AP transfers the security context of the session to the target AP. IAPP and the various IAPP- like vendor proprietary schemes fall into this category. It isn't clear to me how these fast handoff schemes interoperate with the wireless security standard (ie. WPA and 802.11i), where each new STA,AP pair would need a fresh PMK to establish a secure association. And obtaining a fresh PMK requires a full EAP authentication between the client and the RADIUS server. - 802.11r Since this spec is still under development, I doubt this is a practical option. But I think the idea is that stations pre-authenticate themselves to candidate APs in the vicinity. - WLAN switches that can short circuit the authentication to the back-end EAP server, and enable security context transfer between their managed APs in some fashion. Any other notable schemes I'm missing? Which of these is actually deployable today, given availability of working implementations? Feel free to name specific vendors. Also, let me know if I'm out in left field with this thinking .. MERU was recommended several times in this thread. Would anyone care to provide a brief technical sketch of their architecture? Or provide a link to a technical white paper with the details? --Shumon. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.