Cisco 8.3 Adaptive Fast Transition at the Packet Level
When a station roams, it disconnects from the current AP and then authenticates and associates to a new AP. When the wlan is configured with 802.1X, the process of authenticating is slowed down by the fact that the session keys have to be created. These are the Master Session Key, Pairwise Master Keys, Pairwise Transient Keys, and Group Temporal Keys. The majority of the time is spent creating the PMK. This delay in the authentication process causes issues for time-sensitive traffic, such as voice.
802.11r Fast Transition was implemented to address this issue. Fast Transition allows a station to maintain connection to it’s current AP, while setting up the PMK on another AP. Once it has the PMK, it disconnects from the old AP and re-associates to the new AP. The client and new AP will then create the PTK and GTK from the PMK. This eliminates a lot of the downtime because it already has the PMK and doesn’t have to go through the whole RADIUS authentication piece again.
In order to implement Fast Transition, a new Authentication Key Management Suite (FT) was used. However, only clients that supported 802.11r were able to connect to the wlan with Fast Transition enabled. Then, mixed-mode Fast Transition came out. This version used two Authentication Key Management Suites, the original WPA and the new FT. This was supposed to allow clients to use one AKM or the other. However, it turned out to be problematic for certain clients.
Adaptive Fast Transition
In an effort to increase compatibility, Adaptive Fast Transition initially uses only “non-Fast Transition”. The AP sends Beacons and Probe Responses with Authentication Key Management set to WPA in the RSN information element. Those Beacon and Probe Response frames also include Mobility Domain information. Clients (that are 802.11r capable) that see Mobility Domain information in Beacons and Probe Requests, will then send FT Association Requests. The AP will then switch to FT and send additional Mobility Domain and Fast BSS Transition information in the Association Response. This allows both 802.11r and non-802.11r to co-exist on the same wlan.
Beacon Frame with Fast Transition Disabled. Notice WPA as the Authentication Key Management
Beacon Frame with Fast Transition Enabled. Notice FT as the Authentication Key Management
Beacon Frame with Fast Transition Mixed Mode. Notice how both Suites (WPA and FT) are being used for Authentication Key Management
Beacon Frame with Adaptive Fast Transition. Notice that Authentication Key Management is still using WPA in Beacon/Probe Responses.
Association Request shows client sending FT for Auth Key Management when Mobility Domain is present in Beacon/Probe Responses.
(Same for Fast Transition, Mixed-mode Fast Transition, and Adaptive Fast Transition.)
Association Request without Mobility Domain information (FT Disabled) in the Beacon/Probe Response is sent with WPA for Auth Key Management
Association Response from an FT Association Request includes Mobility Domain information and Fast BSS Transition, which are not present when Fast Transition is Disabled.
Association Response from non-FT Association Request does not include Mobility Domain or Fast BSS Transition information.
Here is a screenshot of how to configure Adaptive Fast Transition on 8.3.