In this simulation, you will examine wireless roaming behaviors in a managed enterprise network. You will learn to identify specific IEEE standards that optimize secure transitions between Access Points (APs) for mobile clients.

CND (312-38) Network Defense Simulation

Network Scenario

You are managing a multi-floor office building with a high-density Wireless LAN (WLAN) deployment. The network consists of several Cisco Wireless LAN Controllers (WLCs) and over 50 lightweight Access Points. Many users utilize Voice-over-IP (VoIP) applications on mobile devices while walking between floors.

Recently, users complained that VoIP calls drop or experience significant "jitter" for 1-2 seconds when they move from one end of the building to the other. Upon investigation, you realize that the re-authentication process during roaming is taking too long because the client has to perform a full 802.1X/EAP handshake with the RADIUS server every time it associates with a new AP.

Traffic & Logs

[2023-10-24 10:15:02] INFO: Client 00:AE:44:BC:12:99 roaming from AP_Floor1_North to AP_Floor1_Center
[2023-10-24 10:15:02.150] DEBUG: 802.11 Reassociation Request received
[2023-10-24 10:15:02.155] DEBUG: Initiating Full EAP-TLS Handshake with RADIUS (Latency: 450ms)
[2023-10-24 10:15:03.210] SUCCESS: Client 00:AE:44:BC:12:99 Authenticated. Roaming complete. (Total time: 1060ms)
[2023-10-24 10:15:15] ALARM: VoIP Jitter detected for client 00:AE:44:BC:12:99

Note: In a properly optimized "Fast Transition" environment, the total re-authentication time should be under 100ms.

Question

Which of the following IEEE standards is also called Fast Basic Service Set Transition?

Think about "Roaming". This standard allows a wireless client to establish security and QoS states with a target AP before the client even associates with it.

Expert Analysis

1. What is happening in the network: The logs show that mobile clients are performing a full EAP-TLS handshake during roaming. This creates a delay (over 1 second in the logs) which is catastrophic for real-time traffic like VoIP or video conferencing.

2. Identify behavior: The network lacks an implementation of Fast Transition (FT). The client has to repeat the entire authentication process with the RADIUS server instead of utilizing cached keys or pre-authentication mechanisms.

3. Why correct answer is correct: 802.11r is specifically designed for "Fast Basic Service Set Transition." It minimizes the handshake delay by allowing the initial handshake with the new AP to occur before the client roams to it, or by using keys derived during the initial association to the first AP.

4. Why others are wrong:

  • 802.11e: Defines Quality of Service (QoS) enhancements, not roaming speed.
  • 802.11a: An older physical layer standard for 5GHz (54Mbps).
  • 802.11b: An older physical layer standard for 2.4GHz (11Mbps).

5. Defensive action: As a Network Defender, you should enable 802.11r (FT) on the SSID configuration of the WLC. Ensure client devices support the standard to prevent connectivity issues. This reduces the attack surface for DoS caused by authentication overhead and improves user experience.

MINI LESSON: Wireless Fast Roaming
  • Mechanism: FT allows the 4-way handshake to be completed more quickly by deriving new PTKs (Pairwise Transient Keys) from existing PMKs (Pairwise Master Keys) stored on the controller or shared between APs.
  • Over-the-Air vs Over-the-DS: 802.11r can communicate with the target AP via the current AP (Distribution System) or directly over the air.
  • Detection: Defenders look for "Reassociation" logs in WLCs. If reassociation takes >200ms, 802.11r is either not configured or not supported by the client.

Excellent work, Defender! Ready for more?

Explore more CND simulations