Stairs Suck, Ramps Rule. March 29, 2010
Posted by Devin Akin in : Uncategorized , 1 comment so farEver heard of the “stair-step” model? It’s the scaling model controllers use, whereby you buy up to a given number of APs per controller. Suppose you want to deploy just 20 APs. Depending on vendor, you might need to buy a controller that supports up to 48 APs. You’ve just purchased way more computing power than you need (while getting a giant network bandwidth bottleneck at the same time). This problem compounds if your Wi-Fi network is mission critical, and you need redundant controllers. You’ve just experienced the stair-step model, but that’s not the end of the story.
Suppose that the 20 APs were your first volley, and thereafter you needed to deploy 30 more APs. You had 3 choices (if you looked that far ahead) –
1) Buy the controller capable of 512 APs, and it’s evil twin for redundancy (2 big controllers)
2) Buy two 48 AP controllers, with their evil twins for redundancy (4 smallish controllers)
3) Stop at 48 APs and deal with the limitations
How is this model beneficial to the customer?
Keep in mind that this isn’t a licensing thing, but rather a physical limitation of controller hardware. AP and feature licensing is a whole other nightmare you get to deal with because you opted for controllers. Have fun with that.
Stairs Suck.
I was in Schiphol airport in Amsterdam the other day, and they have 2 kinds of escalators: 1) the regular kind, and 2) the ramp kind. The ramp kind is like a moving sidewalk, except that it goes uphill and downhill. While riding this very neat contraption, I had an interesting thought… this thing is just like the controller-less model! How much luggage can you get onto one stair of a regular escalator? Not much. How much luggage can you get onto the ramp kind of escalator? As much as you want! It’s linear and unlimited…just like Wi-Fi deployments should be. Like my mom used to say, “who woulda thunk it?”
Ramps Rule.
I have two miniature wiener dogs (dachshunds). Yap, yap, yap, flip over, pee everywhere, eat anything, poop everywhere. It’s all they do. They’re loving little dogs, and they sleep on our bed at night. Trust me, I didn’t know this overly-social issue about wiener dogs when we got them. In order to get onto our tallish bed, they have a set of stairs. Lizzie, the young, spring-loaded female, jumps, hits the middle stair, and leaps onto the bed. Mouse, the old, overly-plump male, just sits at the base of the stairs waiting for us to pick him up and put him on the bed. If we don’t, he rewards us by peeing on my chair. I have stairs. I wish I had a ramp. Even Mouse could climb a ramp. It’s the “getting started” that’s so hard for him, so he just sits there terrified. If we put him on the first step, he takes off up the stairs.
This is just like buyers of Wi-Fi infrastructure. They sit there at the base of the stair-step model wishing they could just buy a few APs and be done with it. They don’t understand how this thing scales. They don’t know whether or not to invest in big controllers now or to just start with some small controllers. Every controller vendor builds a different set of stairs, and that makes things even more confusing. I’ve visited some customers who have racks of controllers of varying sizes. You could tell that they started small and tried to grow as best they could. They have a mess on their hands.
Wouldn’t it be easier to just buy APs and let software handle the rest?
Only the Truth is Free March 22, 2010
Posted by Devin Akin in : Uncategorized , 4commentsThe K-12 vertical is a tough market. Budget cuts are so deep in some states that it’s a miracle that the schools don’t close altogether. Therefore, when someone says “free”, it immediately gets the attention of budget-conscious network managers. Many vendors seriously exploit this situation, knowing full-well that these same budget cuts mean that Wi-Fi administrators don’t receive the necessary education to make them capable of differentiating vendor products and technology. That irritates me because I, like most everyone else, have kids in school. I want my kids to have a good learning experience, and that includes portions of the curriculum delivered via wirelessly-connected computers.
Schools often can’t buy Cisco (”best of brand”) because a small fraction of the K-12 market has that much money, so they count on buying “best of breed” solutions for the lowest possible price. Additionally, schools need to buy a Wi-Fi solution that will be able to handle their network throughput, QoS, scalability, availability, and security needs for at least the next 5 years. Muddling through this is hard enough if you’re a Wi-Fi guru, but when you spend every waking moment trying to keep the wheels from falling off your network – just so that you can keep your job – you’re not in a great position to hold vendors accountable for their ridiculous promises. It’s a sucky situation if you ask me, and I don’t envy you if you’re in this position.
/Rant – ON
How then does this play out? Everybody offers “free” stuff in order to entice potential customers. Now, we all know what “free” really means. It’s the same kind of “free” that you get at car dealerships and credit card companies. There’s always a hook, and there’s often hidden costs. If you’ve ever worked at a vendor, you’ve seen this. Just for the sake of example, I’ll pick on a few of our competitors for a minute:
Xirrus – Free professional services (survey, installation, etc.)
Truth: The free stuff is only “free” if you buy their solution for a premium price and the professional services costs can be hidden in the equipment costs. Think about it… They have hard costs (plane ticket, hotel, food, rental car, etc) to factor into the equation, and those costs do not magically go away just because the vendor offers the professional services instead of a third party (like a VAR). You’re paying for it one way or another, which means that they charge more for the equipment. Since they aren’t using a VAR channel, this just means that they are keeping that margin and using it to pay the expenses for their own people doing the work.
Meru – Up to 30% less APs
Truth: You can go with up to 30% less APs, as long as you don’t mind getting 70% less throughput than any standard multiple-channel-architecture (MCA) system. They deploy their APs at high/max power and then say that this means they need less APs. Heck, anybody can do that. All it means, whether deploying MCA or SCA, is that you have less system capacity…and the last thing Meru needs is less capacity, given that they are already channel constrained.
Aruba – Multivendor management
Truth: “Management” is a relative term, and AirWave is the most expensive WNMS in the market by a LONG shot. If you have Cisco, HP, Trapeze, or whoever else’s gear, you could just buy those vendors’ WNMS platforms (for alot less money than AirWave), and any of those vendor-specific platforms will FULLY manage their own infrastructure platforms (versus AirWave “kinda” managing them). Remember, it’s just a hook to get you to buy their whole solution.
I could pick on Ruckus, Motorola, HP, and the rest (for the same reason), but I’ll spare you the diatribe.
Now don’t take this the wrong way. I’m not saying that these vendors have bad equipment, outright lie, or anything like that. I’m only saying that “free” isn’t – ever. It’s always a hook.
To be fair to our competitors, Aerohive does the same thing. Just look at our planner tool (www.aerohive.com/planner). It’s full-featured and free – honestly – and it’s there for the same reason that all of the competitors offer free stuff: it’s a hook. Just by being there, it says, “Try me, use me, abuse me, and then buy our stuff.” Interestingly, it also helps you planning your deployment of other vendors’ APs. 
I’m just saying that as a consumer, you should never believe that “free” means free.
Before I get off my soap box, I’ll say that the buyer should beware that some vendors will quote a solution that seems to meet the customer’s needs, and after the customer buys it, the vendor will break the unpleasant news that in order to do X, Y, and Z, they have to buy a bunch of extra licenses. 
Then the vendor is “in the door” and it’s too late for the customer to back out. This kind of BS gets on my last nerve. I’m a consumer too ya know.
/Rant – OFF
Anyway, back to those K-12 guys. The best solution for their environment is often non-obvious and hard to ferret out. They can have any combination of needs, including (but not limited to) directory services integration, bridging to temporary trailers, security cameras, guest/staff/student access with stateful filtering, high-density device handling, various desktop operating systems and mobile device types (iPad: woot!), video unicast/multicast, 99+% uptime, and tons more. When you throw that many variables, confusing cost models, and deployment and operational complexities into the mix, it’s a miracle that they don’t just opt for more Ethernet. 
Besides meeting the base technical requirements (some of which are mentioned above), the K-12 guys need three major things:
1) Ease of use
2) Low cost
3) Deployment & troubleshooting simplicity
Let’s be honest… finding a system that has the right features, plus meets these three parameters, is like finding a needle in a haystack among all of today’s Wi-Fi vendors. Most schools don’t have the time or resources to do the due diligence.
I know that you’re waiting for me to get to the punch line, where I tell you how Aerohive is the only vendor that ___________ and all other vendors suck because _________. Sorry to disappoint you. There’s no punch line coming. Aerohive offers a great Wi-Fi solution that meets the requirements listed above, but there’s something even more important to us that was woven between the lines of this blog post: integrity. We say things plainly, are openly honest with our customers and partners, and want to provide a great solution for our customers. Integrity is the only silver bullet that we can think of to solve the kind of problems that the K-12 industry (and their ilk) is facing.
Funny story: When I was interviewing with Aerohive, I mentioned to the exec team that I would never lie for this company…or any other. I was taking a stand. Then they quickly responded that nothing would get you fired faster than lying to a customer, partner, or anyone else for that matter. I was sold.
The only thing that’s free is the truth, and the truth will set you free. 
The Caffeinated Blog March 15, 2010
Posted by Devin Akin in : Uncategorized , add a commentI’m back – in more ways than one (if you’ve read those last four posts). I’m writing this while on the way back from the UK and Holland, where I wreaked a special kind of havok. 
I realized something very important this past week. McDonalds is the same everywhere. Not the menu, but rather the experience. It really doesn’t matter what you order, because you’re going to get something else. Give them $10, ask for “food”, and then hope for the best. As an example, right before I was due to present to 15 new VAR candidates, McDonalds pulled the old switcharoo, giving me a double espresso instead of a regular coffee. I probably don’t have to elaborate on what happened thereafter, other than to say that the front row had a sort of wind-blown look when I finished presenting.
A few cool facts from this past week:
———————–
Spanish wine is unbelievable…even if you have to go all the way to Amsterdam to get it.
Dutch people could possibly be the nicest bunch of folks on the planet. I wish they’d all move to Georgia (the state, not the country).
Belgians are really smart…so smart that it even confuses me when they smile.
KLM is a great airline for little people. There can’t be more than 2″ of leg room between seats.
———————–
I’m typing this entire blog on my Blackberry while flying from AMS to LHR. My thumbs hurt, but they’ve taken control and refuse to stop. After 4 hours of sleep, I had to caffeinate to make it…and now I’m wired (but not like Ethernet).
Back to Wi-Fi. Things are changing… and fast. It’s shocking even to me…and all I do is Wi-Fi.
Ruckus now says that they’re “almost controller-less.” WTH does that mean? Is that like, “almost pregnant?” L2 and L3 roaming, among other things, requires their controller. If they get past that, we’ll consider giving them the, “controller-less beginner” Boy Scout badge. My money is on Motorola to complete their controller-less initiative before Ruckus does, but I could be wrong.
Aruba’s VARs will tell you that putting a firewall in an AP is a bad thing, yet Aruba is doing that very thing in their forthcoming 5.0 code…along with at least half of the industry, including Trapeze, Motorola, and others. Note that Aerohive pioneered stateful firewalls in the AP, and it’s now, “table stakes.” Aruba flip-flops more than John Kerry. Of course, I suppose that it’s a common marketing practice (though I think it’s a dumb one) to say that something is a bad idea until you can do it.
Everybody is pushing intelligence to the edge…some faster than others, and some in different ways than others. Every Wi-Fi vendor will distribute intelligence to the network edge sooner or later (likely MUCH sooner than you expect). It’s the way of things. Look at the Internet. Look at your routed or switched network. Bank on it, bet on it, learn it, live it, love it. It’s here to stay, and it changes everything.
Did you know that OSPF is a “control plane” protocol? Ponder that.
Something funny: We have just seen the first major slander session by a competitor. I won’t mention who it was…because that’s reverse-engineered slander in and of itself, right? This means that Aerohive has just entered the, “they’re not going away on their own, so we have to acknowledge that what they’re doing makes sense… and then kill them” phase. Very cool. Yes, I know, it’s an odd way to gauge growth and maturity of a company. If you prefer, I could tell you that Gartner just released a security best practices doc for Wi-Fi last month that says (paraphrasing) that for availability (an important part of your security posture), you should implement redundant controllers or a controller-less architecture. There’s obviously some smart dudes over there.
Note to competitors: keep that BS about, “Aerohive’s solution doesn’t scale” coming. It gives us a platform on which to show potential customers how the controller-less model is, by a long-shot, the most scalable model in the Wi-Fi industry. Massive scalability, low cost, and resilience (no single points of failure) is why practically every vendor is moving to this model quick, fast, and in a hurry. I’m just sayin’…
Man, caffeine rocks.
I met a lady and her daughter in Harrod’s (Google it)…
… in London who were from Rockmart, GA. Bremen (my home town) has about 4000 residents. Rockmart residents think that Bremen is “the big city.” Rockmart is 20 miles from Bremen. Odd coincidence, no? Maybe they were following me… If we had a Harrod’s in Atlanta, my wife would never come home, and we’d never have any grocery money.
I saw the Tower of London, a 2000 year old wall, and a Beefeater. Prior to meeting that dude, I thought I was a beef eater. Pork is good too. Nice guy, weird clothes, cool castle.
I found out that Dutch people typically speak more languages than I have fingers, everything in Europe costs as much as my truck (even a decent lunch meal), and that Brits (I hope that isn’t a derogatory slang word or something) love Americans and guns (well, at least the ones I met). 
Way cool. Three words: everyone move to Georgia. OK, that was 4 four words.
I digress…now where was I?…ah yes, Wi-Fi…
I haven’t a clue what the article says, and I was cautioned against translating it. It was fun hanging out with these guys.
The “other meeting” we had was super cool. I met a guy named Lon from FL. That makes him my homey, kinda. He rocks.
Either Dutch people “get” my sense of humor or they laugh at everything. That presentation was a blast. I found out at the end that Sercie is Belgian. Good thing that I said nice things about Belgians during the presentation. Chris Scheers is Belgian, and he writes functional specs with Tables of Contents consisting mostly of Calculus…then it gets complicated.
QI/ICT has 4 coffee machines that cost $10k each. They love coffee. I love coffee. I think their coffee tastes better than normal just because the machine costs so much. It was groovy to watch those things make coffee. I was thinking about how cool it would be to add Cooperative Control protocols to those coffee machines…they would scale better that way.
Coffee in Europe is a sip-by-sip experience. Wow. It’s good everywhere. AT&T, however, is not. In the middle of my trip, AT&T applied a password (which I don’t have) to my voicemail…and given the 5-6 hour time difference, I could never get in touch with them about it…because their global support apparently isn’t. Then their WiFi hotspots…can’t get in, can’t get anyone on the phone, can’t _____ (you fill in the blank). It just took me 2 months of calling my way up the food chain to get my ADSL line fixed…and now this. I don’t think it was Cisco who was “asleap” at the wheel…I think it was and is AT&T. Grrr. $100s per month…and for what? Where’s the love? Sprint – here I come.
I was just thinking about that song by Jerry Reed (mid 1970s) called “Eastbound and Down.” I love that line that says, “We gon’ do what they say can’t be done. We got a long way to go, and a short time to get there…” Maybe ol’ Jerry was thinking about Aerohive when he wrote it…
You know, Jerry Reed’s parents were from Rockmart, GA. Cool, eh? I digress again…it’s the caffeine…wait…uh oh…crashing…neeeeed coffee. Shutting down…
I really should wrap this thing up…
Controllers suck.
The end.
Cooperative Control: Part 4 (final) March 8, 2010
Posted by Devin Akin in : Uncategorized , 2commentsFast/Secure Layer 3 Roaming
Mobility in typical IP networks is challenging because, as a user moves from subnet to subnet, their IP settings change, which usually makes IP-based sessions or applications fail. To allow users to maintain their IP settings and network connections while roaming across subnets throughout a WLAN, Aerohive has developed the Dynamic Network Extension Protocol (DNXP). At the time a user roams to an AP that is located in a different subnet, DNXP will dynamically establish a tunnel from the new AP back to an AP in the subnet the user roamed from. The user’s traffic is tunneled back to its original subnet, which allows clients to preserve their IP address settings, authentication state, encryption keys, firewall sessions, and QoS enforcement settings as they roam across HiveAPs in different subnets. This is especially important for clients using voice and video applications.
When layer 3 roaming is enabled, HiveAPs can automatically discover their layer 3 neighbors (neighboring HiveAPs on different subnets) by scanning radio channels. If HiveAPs are within radio range of each other, are in the same hive, have layer 3 roaming enabled, and are in different IP networks, the HiveAPs will build layer 3 neighbor relationships with each other over the routed Ethernet network. HiveAPs will then distribute tunnel and client information to their layer 3 neighbors. This way, when the user roams across layer 3 boundaries, the tunnels can be built without delay.
In situations where HiveAPs cannot discover each other automatically over the air, possibly due to being on opposite sides of an RF obstacle, you can manually configure layer 3 neighbors for HiveAPs using HiveManager.
When layer 3 neighbors are discovered, either automatically or manually, HiveAPs in different subnets will exchange lists of available HiveAP portals and client and roaming cache information. This way, if a client does roam to a new subnet, the HiveAP in the new subnet will be aware of the client and can dynamically build a tunnel back to any one of the portal HiveAPs in the previous subnet. This allows for fast/secure layer 3 roaming.
The following diagram shows the basic steps performed by HiveAPs as clients roam within their subnet and across subnet boundaries.
Diagram 5. The Process for Fast/Secure Layer 3 Roaming
Step 1 – The client performs seamless, fast/secure layer 2 roaming within subnet A.
Step 2 – After the client successfully roams to HiveAP 2, HiveAP 2 will send an encrypted control packet over the Ethernet infrastructure to HiveAP neighbors in the neighboring subnet. The control packet contains, as a minimum, the client’s identity, security and QoS information, SIP call state, and the client’s originating subnet.
Step 3 – Because the client’s identity and key information, including SIP call state, is proactively synchronized between neighboring HiveAPs, when the client roams to HiveAP3, HiveAP3 has all the information it needs to enforce policies and to tunnel permitted traffic, over the GRE tunnel, to a portal HiveAP in the client’s original subnet. This behavior allows the client to maintain its IP address and active sessions as it roams. Predictively, HiveAP3 forwards the wireless client’s roaming information to HiveAP4 in anticipation of any further roaming.
The ability for a client to maintain its IP, QoS, firewall, and security settings while roaming across subnet boundaries ensures that client application sessions do not get dropped while roaming. Based on a configurable idle time or number of packets per minute, HiveAPs can be set to disassociate these wireless clients so that they can reconnect and receive an IP address in their new subnet allowing traffic to be locally forwarded. If a client roams across subnet boundaries when it does not have any active sessions in process, it can be immediately transitioned to the new subnet, eliminating the need to tunnel traffic.
In summary, with HiveAPs and cooperative control, wireless clients have the ability to perform fast/secure roaming between HiveAPs within the same or between different subnets without impacting client data or voice connections.
Tunnel Load Balancing in Large Scale Layer 3 Roaming Environments
Aerohive’s layer 3 roaming feature provides unprecedented scalability by using tunnel load balancing to distribute tunnels across all portal HiveAPs within a subnet. This leverages the distributed processing power of the wireless network to support thousands of layer 3 roaming tunnels and multiple gigabits of cross subnet throughput. When a HiveAP in a remote subnet attempts to establish a tunnel to a HiveAP in the original subnet, in the very rare case that the HiveAP in the original subnet has high tunnel load, it can inform the HiveAP in the remote subnet to tunnel to another portal HiveAP in the subnet. This prevents any single HiveAP from being over-utilized.
Radio Resource Management (RRM)
To respond to changes in the RF environment, HiveAPs use Aerohive Channel Selection Protocol (ACSP). ACSP allows HiveAPs to cooperate in order to to automatically select the best channels and power settings on which to operate for optimal network performance across an entire system. HiveAPs use ACSP to scan channels and to build tables of discovered wireless devices. These tables, along with additional RF information such as channel utilization and retry counters, are used to identify and classify interference types and sources. HiveAPs communicate ACSP state information with each other and use this information to select the appropriate channels and power levels for the network topology and configuration.
For each radio in access mode, ACSP will select a channel and power level to maximize coverage while minimizing interference with its neighbors. This is accomplished by ensuring that HiveAPs use different channels than their immediate neighbors, and that they adjust their power to minimize co-channel interference with other, more distant, HiveAPs. For radios in backhaul (mesh) mode, ACSP ensures that that they use the same channel throughout the mesh, while still minimizing interference with the access links.
To maintain optimal performance, ACSP constantly checks the radio power settings and can automatically decrease radio power based on communication from neighboring APs to give the maximum coverage possible while minimizing interference. This behavior is highly beneficial in a failure state or when an AP is taken off line, where neighboring APs can automatically adjust their power to the optimum state, essentially taking into account the missing AP. ACSP can also be scheduled to recalibrate the radio channels during a configurable daily time window and when a specified number of clients are associated. This helps ensure that radio channels do not switch while the WLAN is being utilized, preventing a disruption of service for wireless clients.
Station Load Balancing
Many times in a wireless network, many users will unknowingly be connected to the same AP, or even the same radio on the same AP, while neighboring APs may be under-utilized. This can have a significant impact on client performance and may cause the users to have an unsatisfactory experience. It is logical, therefore, that clients be encouraged to move from the more heavily-loaded APs to the lightly-loaded ones. To aid in the distribution of clients among HiveAPs in a cooperative control infrastructure, Aerohive has implemented station load balancing.
HiveAP load is determined, as a minimum, by:
1) the overall load of the system
2) the load in a specific area on a specific channel
3) the voice traffic load of attached stations
4) the total number of attached stations
5) the signal quality of attached stations
HiveAPs can make decisions to offload stations from one radio to another within the same HiveAP (Bandsteering) based on client capabilities and/or to offload stations to a HiveAP that is better suited to handle the load in the immediate area. Transitioning clients between radios and between APs is done without breaking the application session.
Use of admission control can prevent over-utilization by ensuring there is enough headroom for stations that roam to the HiveAP. It also prevents overloading a single HiveAP, especially when there are other HiveAPs nearby that can better handle the load. This is useful with VoWiFi, because it helps ensure that a HiveAP has availability to support new or roaming voice stations, and that there is enough airtime available for excellent voice quality.
————————
This is the last blog post on Cooperative Control. If you want to read more on the topic, I will refer you to our website at Aerohive.com for the upcoming comprehensive whitepaper on Cooperative Control. Future blogs will incorporate my personality. See ya next week, and oh, btw, stay tuned for some really exciting action at the beginning of the quarter.
Cooperative Control: Part 3 March 1, 2010
Posted by Devin Akin in : Uncategorized , 2commentsCooperative Control
By utilizing cooperative control, HiveAPs cooperate with neighboring HiveAPs to support control functions such as radio resource management, Layer 2/3 roaming, client load balancing, and wireless mesh networking, eliminating the need for a centralized controller.
Cooperative control is made possible with the following self-organizing and automatically-operational cooperative control protocols:
- AMRP (Aerohive Mobility Routing Protocol) – Provides HiveAPs with the ability to perform automatic neighbor discovery, MAC-layer best-path forwarding through a wireless mesh, dynamic and stateful rerouting of traffic in the event of a failure, and predictive identity information and key distribution to neighboring HiveAPs. This provides clients with fast/secure roaming capabilities between HiveAPs while maintaining their authentication state, encryption keys, firewall sessions, and QoS enforcement settings.
- ACSP (Aerohive Channel Selection Protocol) – Used by HiveAPs to analyze the RF environment on each channel within a regulatory domain and to work in conjunction with each other to determine the best channel and power settings for wireless access and mesh. ACSP minimizes co-channel and adjacent channel interference in order to provide optimized application performance.
- DNXP (Dynamic Network Extension Protocol) – Dynamically creates tunnels on an as-needed basis between HiveAPs in different subnets, giving clients the ability to seamlessly roam between subnets while preserving their IP address settings, authentication state, encryption keys, firewall sessions, and QoS enforcement settings. Note that tunnels are not required for clients roaming among APs in the same subnet.
Cooperative control protocols allow HiveAPs to operate as a cohesive system in order to provide the mobility, security, RF control, scalability, and resiliency that are essential for supporting today’s and tomorrow’s demanding applications over a Wi-Fi infrastructure.
HiveAP Auto Discovery & Self Organization
Cooperative control simplifies the deployment of HiveAPs by enabling them to automatically discover one another and by proactively synchronizing network state. HiveAPs have the ability to discover each other, whether they see each other over a wired network or a wireless network. When HiveAPs are powered on, they start to search for both wired and wireless HiveAP neighbors, and if neighbors are found with the same hive name and shared secret, they can build AES-secured connections to each other.
Once the neighbor relationships have been established between HiveAPs in a Hive, they will run cooperative control protocols across wired and wireless links to provide fast/secure roaming, radio resource management, and resiliency. If HiveAPs discover neighboring HiveAPs that are in a different subnet, as long as the HiveAPs are configured with same hive name and hive shared secret settings, they will exchange IP information with each other and establish communications over the routed network infrastructure to provide cooperative control functionality across layer 3 boundaries. The beauty of cooperative control protocols is that they do not need to be configured, greatly decreasing the operational cost and complexity of deploying a modern wireless solution.
Roaming Issues with Autonomous APs
Fast/secure roaming is most often defined as roaming that occurs in just a few tens of milliseconds. Fast/secure roaming becomes very important when using real-time applications like voice and video, where an interruption in a connection can cause dead air, pops, or even dropped sessions.
With traditional autonomous APs that exist without knowledge of each other, fast/secure roaming using IEEE 802.1X/EAP for authentication is not possible. This is because during authentication, the RADIUS server, wireless client, and AP exchange user authentication information and derive encryption keys between themselves. If the wireless client moves to another AP, the new AP does not have any of the keys that were created on the previous AP, and so the wireless client will have to repeat the entire authentication and key derivation process again. During this process, existing sessions on the client that are time sensitive will be terminated, such as voice, video, or file transfers.
Diagram 3. Autonomous APs – No Fast/Secure Roaming with 802.1X/EAP
Aerohive Networks has solved the problem that exists with autonomous AP solutions using AMRP. Whether connected via the wired LAN or wireless mesh, HiveAPs cooperate with each other using AMRP to predicatively exchange client authentication state, identity information, and encryption key information with neighboring HiveAPs, allowing clients to perform fast/secure roaming. The following diagram lists the steps taken by the HiveAPs for fast/secure roaming.
Diagram 4. HiveAPs – Authentication, Key Derivation, and Key Distribution
Step 1 – After a wireless client successfully authenticates with a RADIUS server using 802.1X/EAP authentication, the information exchanged between the RADIUS server and the client is used to derive a key called the pairwise master key (PMK). This PMK is the same on the wireless client and RADIUS server.
Step 2 – The RADIUS server transfers the PMK to the HiveAP so that the client and HiveAP can build an encrypted connection between each other.
Step 3 – Using AMRP, the HiveAP proactively distributes encryption keys, identity information, SIP voice session state information, firewall, and QoS policy information to all neighboring HiveAPs. This, along with the de facto standard Opportunistic Key Caching (OKC), permits clients to roam between HiveAPs without having to repeat the 802.1X/EAP authentication process, enabling fast/secure roaming.
Note: For security reasons, the key and identity information sent between HiveAPs is encrypted with AES and is stored only in memory on the HiveAP. This way, the keys are removed from the system with all user identity information when a HiveAP is powered off. Furthermore, administrators do not have access to view the keys. These security measures prevent the keys from being obtained if the wired network is analyzed or if a HiveAP is stolen.
Along with the key information that is distributed among neighboring HiveAPs, AMRP also distributes the user’s identity information so that HiveAPs can enforce the identity-based firewall access policies and QoS settings as the user roams between HiveAPs.
