Wi-Fi Alliance Voice-Enterprise Certification: Standardized Fast Secure Roaming

Two of the most important aspects of building a successful modern enterprise wireless LAN are enabling transparent user mobility across the network and strong security to protect sensitive corporate data. 

However, these two objectives have historically been difficult to achieve in tandem. A balancing act between mobility and security has caused an unpleasant trade-off for organizations due to the time-consuming processes that strong security methods require. On one hand, high performance mobility can be provided when relatively weak security is implemented with an Open or WPA2-Personal WLAN, but this leaves sensitive corporate data at higher risk of exposure. On the other hand, much stronger security can be implemented with WPA2-Enterprise, lowering the exposure risk of sensitive corporate data, but resulting in poor mobility performance due to the time-consuming 802.1X authentication process. Thus, the introduction of more secure Wi-Fi networks solved one problem (security) but created another (roaming performance).

The industry needed a high performance, yet secure, solution to this mobility problem. The answer lies with fast secure roaming. Pre-standard solutions, such as CCKM and OKC have been around for some time but have failed to realize widespread adoption, especially by client manufacturers. The Wi-Fi Alliance^™ Voice-Enterprise certification program, introduced May 2012 and already appearing in major WLAN products, brings a standards-based fast roaming method to market, which serves to align infrastructure and client manufacturers on a common implementation method and provides the benefits of low-latency roaming performance while maintaining strong security with WPA2-Enterprise.

I dive deeper into the Voice-Enterprise certification program and implementation details of fast secure roaming in the new whitepaper, "Wi-Fi Alliance Voice-Enterprise Certification: Standardized Fast Secure Roaming" [PDF].

Whitepaper: Wi-Fi Alliance Voice-Enterprise Certification
(Click to Download)

Download this whitepaper to learn:

• Challenges in providing both transparent user mobility and strong security
• Requirements that products must pass to achieve Voice-Enterprise certification
• Performance criteria that Voice-Enterprise products must achieve
• Technical details of the Fast BSS Transition specification, based on IEEE 802.11r, for both controller-based and controllerless WLANs
• Performance optimizations available with Radio Resource Measurement (802.11k) and Wireless Network Management (802.11v), both part of the Voice-Enterprise program

Cheers,

Andrew



Additional Wi-Fi Roaming Blog Posts You Might Be Interested In:

1. Part 1 - Connection Control and Importance of Roaming Analysis
2. Part 2 - The Many Variations of Wi-Fi Roaming
3. Part 3 - Methods of Measuring Roam Times
4. Part 4 - Analysis with Wireshark and AirPcap
5. Apple iOS Fast Roaming with Aerohive Wi-Fi APs

A Few Wi-Fi Wish-List Items for 2011

Finally, as a wrap-up to my 2010 recap and 2011 projections for the Wi-Fi industry, here a few wish-list items that are desperately needed.

1. Voice-Enterprise Certification – the convergence of voice over IP with user mobility and smartphone adoption is leading the requirement for organizations to support large-scale VoFi deployments. However, performance of voice over Wi-Fi must be balanced with strong security based on WPA2 (802.11i) and 802.1x/EAP authentication. Predicting this need, the IEEE passed the 802.11r amendment in June 2008 to provide a method for fast, secure roaming by clients among a coordinated group of access points. This allows clients to re-use existing master key material obtained during the initial authentication during subsequent roams to other APs within the system, bypassing lengthy authentication exchanges. However, industry adoption for this feature has been almost completely absent, and the Wi-Fi Alliance has been slow to finalize the Voice-Enterprise interoperability program. This feature is such an important milestone for network performance and SLA compliance it is hard to fathom why both infrastructure and client vendors have been reluctant to implement fast roaming capability. Perhaps 2011 will be the year customers get this needed tool to increase network performance.
   
   
2. 802.11u Amendment Ratification – it’s painfully obvious that open unsecured Wi-Fi hotspots are inadequate for broad consumer use, resulting in poor data security. The problem with providing an alternative has been the complicated nature of secure Wi-Fi hotspots. In addition, there is no current mechanism for service advertisement at public locations other than creative network SSID naming. The IEEE 802.11u amendment aims to change this and remove the barriers to secure public Wi-Fi. It will do this by allowing additional information to be sent between network operators and customers for service advertisement, coordination of service delivery between Wi-Fi and external network operations (such as cellular), and provide on-demand account enrollment and customer authorization for network access. It aims to simplify the entire process for users, easing proper network identification and selection as well as gaining access through both paid and free hotspot networks. It is also unclear at this point if 802.11u will include provisions for anonymous EAP authentication and automated provider authentication (certificate validation) for free hotspots, but this function is also a clear necessity. Watch for ratification of this amendment in 2011, but manufacturer adoption and inter-network roaming agreements are likely longer-term developments.

What’s on your Wi-Fi feature wish-list?

Cheers,

Andrew