Fast 802.11 handovers with 802.1X reauthentications
; Araújo, E. A.
Security and Communication Networks Vol. 4, Nº 3, pp. 267 - 283, March, 2011.
ISSN (print): 1939-0122
ISSN (online): 1939-0114
Scimago Journal Ranking: 0,22 (in 2011)
Digital Object Identifier: 10.1002/sec.184
Fast handovers of roaming stations (STAs) between Access Points (APs) require preauthentication or fast reauthentication within new serving APs. The current standards address only over-the-DS (Distribution System) preauthentications for 802.1X authentications. However, over-the-DS preauthentication is not suitable for fast moving STAs, which may loose their connection with the currently serving AP before performing preauthentications in the neighboring APs.
This article presents several ways to achieve fast 802.11 handovers while keeping the basic security features of 802.1X authentications. To do so, we designed a fast 802.1X reauthentication protocol. This protocols enables
an STA to perform many fast 802.1X reauthentications after an initial, possible slow, 802.1X authentication. The reauthentication protocol requires little from the network environment, namely a new, central Reauthentication Service (possibly integrated with the local 802.1X Authentication Server).
To speed up 802.1X reauthentications within handovers, the reauthentication protocol was piggybacked into 802.11 management frames that are ordinarily used during handovers. This way, we are able to perform 802.1X reauthentications while taking the normal, over-the-air 802.11 steps for performing handovers (network probing, authentication and (re)association). Besides this over-the-air approach, we also show how the 802.1X reauthentication protocol can be implemented using an over-the-DS approach.
A prototype implementation using over-the-air 802.1X reauthentication showed that handover delays can be dramatically reduced to 1.5 ms, while an 802.1X fast resume takes more than 150 ms.