Here's an example of the Intel 2100 roaming algorithm. This is an old card and EOLd but is sheds some light on why it has major problems...
When the device driver first connects, a timer is started - a roam will not occur until the timer expires. As the connection quality may degrade, the timer is reduced (13 minutes, 4 minutes, 2 minutes, 30 seconds, then 10seconds). Example: Two AP's 150' apart. The user us near AP1 and makes connection. Timer is initially set to 13 minutes. The user moves towards AP2. The signal quality to AP1 decreases and the timer drops to 4 minutes, and then 2 minutes as the user comes near AP2. So now the user is near AP2 and still connected to AP1 (with a decent connection, so the timer does not decrease further) - the roam to AP2 will not occur until the 2 minute timer expires. There are no adjustments to the roaming behavior. Old driver versions make most wireless NIC perform extremely bad in a dense deployment. -Emerson -----Original Message----- From: Shumon Huque [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 4:16 PM To: [email protected] Subject: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN We rolled out a WPA/802.1x authenticated WLAN to our student residences this semester. We're using EAP-TTLS with PAP as the inner authentication protocol. The EAP servers are a set of centralized RADIUS servers that perform Kerberos5 password verification to our KDCs in the backend. We've noticed several problems that we didn't observe when we had it running on a much smaller scale in our own offices. A large number of users seem to be repeatedly authenticating, some of them as frequently as every 30 seconds or every few minutes. Some debugging revealed that these users are frequently oscillating their associations between a number of different access points. A smaller number of users keep reassociating with the same access point. This is causing a very large load on the authentication server infrastructure, which we've temporarily worked around by load balancing the APs across additional RADIUS servers. However, we're also assuming that this is causing lots of user visible performance problems due to roaming latency (scan, reassociate, authenticate, 802.11i handshake, DHCP address acquisition etc). Surprisingly, not many users have complained. Perhaps they are only browsing the web or using other non- interactive apps which can tolerate delay. Or they might simultaneously have a wired ethernet connection. Is frequent reassociation the normal behavior in a dense deployment of APs? I can understand that it might be for highly mobile stations like wireless VoIP phones. But our environment is composed of mostly stationary wireless laptops in student rooms. My assumption was that roaming typically happened when a user moves towards a stronger signal AP and at some configured signal quality threshold, the station started scanning for a better AP. Am I wrong? Or is this more likely something in our radio environment or insufficient coverage etc? Our wireless LAN engineers are currently investigating this, but I'd be interested to hear the experience of others. Do we need a fast roaming solution to deal with this? Having access points and stations able to cache the PMK (Pairwise Master Key) would probably help the best, as that would allow them to often establish a secure association without conducting a heavyweight authentication dialog with the RADIUS server. But I'm not sure if access points or typical endstations support this. TLS session resumption will probably help a bit also (if supported). We use cisco aironet 1200/1100 access points. The clients are mostly PCs running SecureW2, Macs running with the built-in EAP-TTLS/802.1x support in Mac OS X, and a smaller number of Linux machines. Thanks for any advice! --- Shumon Huque 3401 Walnut Street, Suite 221A, Network Engineering Philadelphia, PA 19104-6228, USA. Information Systems & Computing (215)898-2477, (215)898-9348 (Fax) University of Pennsylvania / MAGPI. E-mail: shuque -at- isc.upenn.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
