So I started testing 802.11r a few months back. I simply wanted to see how the management frame looked like and how the roaming process was different.

802.11r gives the client the possibility to start the initial handshake with a new access point before leaving the old. Cutting down on the roaming handshake overhead and not needing a re-authentication at each AP helps the clients to a faster transition.

The client can communicate with the new access-point in two ways. It can talk to the new access-point using the existing 802.11 association to the old access-point with the frames being transmitted over the distribution system (most likely the LAN connecting the access-points). This is know as Over-The-DS roaming. When looking in the 802.11 Management frame the Fast Transition part looks like this:

We can see that the “Fast BSS Transition over DS” bit is set.

The client can also talk directly to the access-point using 802.11 frames and 802.11r algorithm. This is referred to as Over-the-Air roaming.

In this case the “Fast BSS Transition over DS” bit is not set.

 

So I decided to do a test of the roaming using Over-The-DS. The setup was really simple. One Cisco WLC, 2 Access-points, 1 RADIUS server and 1 iPhone. The iPhone authenticated  using PEAP.

(Sorry for the small text)

Here we see the client Apple_86:20:21 that is already joined the Cisco_47:f0:47.

The client sends an Action frame to the “old AP”. The Action frame is a FT Request with the target set to the “new AP”.

The “old AP” gets a success back and transmits to the client.

The client moves to the “new AP” with a Reassociation Request

And gets a Reassociation Responce with the status Successful.

And that is it. The client roamed without an re-authentication. Not bad. And everything within 34ms.