Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points
First Claim
1. In a wireless network having a set of access points (APs) each having a predetermined service area, a station (STA) that receives a communication service by associating with APs in the set, an authentication server (AS) that authenticates the STA, and a controller that maintains a data structure identifying prospective APs to which the STA may roam, a method, comprising:
- associating the STA to the first AP by obtaining a security key from the AS;
after the first AP reports to the controller that the STA has associated to the first AP using the security key obtained from the AS, forwarding the security key to the controller;
while the STA is associated with the first AP, forwarding the security key from the controller to at least a second AP in the set as identified by the data structure; and
re-associating the STA at the second AP using the security key and without requiring the STA to authenticate back to the AS; and
after re-associating, updating the data structure by notifying the controller that the first AP is a neighbor of the second AP.
9 Assignments
0 Petitions
Accused Products
Abstract
A fast roaming (handoff) service is provided for a WLAN infrastructure. A given mobile station (STA) obtains a pairwise master key (PMK) when it associates with an access point (AP) in the infrastructure. A neighbor graph identifies prospective APs to which the STA may then roam. At initialization, preferably the neighbor graph is fully-connected (i.e., each AP is assumed to be connected to every other AP). The PMK (obtained by the STA initially) is shared proactively with the neighbor APs as indicated in the neighbor graph. Thus, when the STA roams to a neighbor AP, because the PMK is already available, there is no requirement that the STA initiate a real-time request to an authentication server to re-associate to the new AP. Further, the new AP causes an update to the neighbor graph information implicitly by simply issuing a notification that it is now handling the STA that arrived from the prior AP; in this manner, the prior AP is confirmed as a neighbor, but there is no requirement for any inter-AP dialog before a given neighbor graph is updated. As roaming occurs the neighbor graph is pruned down (to reflect the actual neighbor AP connections) using the implicit notification data.
-
Citations
20 Claims
-
1. In a wireless network having a set of access points (APs) each having a predetermined service area, a station (STA) that receives a communication service by associating with APs in the set, an authentication server (AS) that authenticates the STA, and a controller that maintains a data structure identifying prospective APs to which the STA may roam, a method, comprising:
-
associating the STA to the first AP by obtaining a security key from the AS;
after the first AP reports to the controller that the STA has associated to the first AP using the security key obtained from the AS, forwarding the security key to the controller;
while the STA is associated with the first AP, forwarding the security key from the controller to at least a second AP in the set as identified by the data structure; and
re-associating the STA at the second AP using the security key and without requiring the STA to authenticate back to the AS; and
after re-associating, updating the data structure by notifying the controller that the first AP is a neighbor of the second AP. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A controller for use in a wireless network, the network having a set of access points (APs) each having a predetermined service area, wherein mobile stations (STA) receive a communication service by associating with APs in the set, and wherein an an authentication server (AS) is used to authenticate the mobile stations, comprising:
-
a data store in which a data structure is stored, the data structure comprising a connection graph describing how each AP in the set of access points is connected to other APs in the set;
code, executable by a processor, responsive to receipt of an association message that the station has associated to a first AP using a security key obtained from the AS, for receiving the security key from the first AP and forwarding the security key to a set of one or more other APs in the set as identified in the connection graph, and code, executable by the processor, responsive to receipt of a re-association message from a second AP that indicates that the station has associated with the second AP, for updating the connection graph to indicate that the second AP is connected to the first AP. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system, comprising:
-
a set of access points, each access point having a predetermined service area; and
a controller, comprising;
a data store in which a data structure is stored, the data structure comprising a connection graph describing how each AP in the set of access points is connected to other APs in the set;
code, executable by a processor, responsive to receipt of a first message that the station has associated to a first AP using a security key, for receiving the security key from the first AP and forwarding the security key to a set of one or more other APs in the set as identified in the connection graph, and code, executable by the processor, responsive to receipt of a second message from a second AP that indicates that the station has associated with the second AP, for updating the connection graph to indicate that the second AP is connected to the first AP;
wherein the second AP comprises code, executable by a processor, for receiving from the station a third message and responding to the third message with a fourth message so that the station is not required to obtain a new security key, and for thereafter issuing the second message to the controller, wherein the second message includes a data field indicating that the station last visited the first AP. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification