A network administrator is configuring a VSC that enforces WPA2 with preshared keys (PSK) on
an HP Controller. The VSC must support Voice over IP (VoIP) applications, so the network
administrator enables opportunistic key caching to support fast roaming. When the network
administrator saves the VSC settings, an error indicates 802.1X is required.
How should the network administrator resolve this error?
A.
By purchasing a premium mobility license for the controller, which will allow the controller to
support opportunistic key cashing with 802.1X.
B.
By enabling 802.1X but leaving in WPA2 key source set to static so that both forms of
authentication are supported.
C.
By enabling wireless mobility as an authentication method for meeting the fast roaming
requirements.
D.
By enabling opportunistic key caching: this feature is not required for fast roaming in a VSC
such as this.
Explanation:
Student Guide Book 1 – Implementing and Troubleshooting HP Wireless Networks – Page 3-77
Fast roaming
– 802.1X with WPA2 is the most secure option, but slows the roaming process
– MSM Mobility and Premium Mobility Controllers support opportunistic key caching:
• APs send encryption keys for clients that might need to roam to other APs.
•When the client roams, the new AP checks the key instead for enforces authentication.
Figure 3-50: Fast roamingAlthough WPA with 802.1X strengthens security for wireless
communications, it hasone drawback: it increases the time required to roam from one AP to
anotherbecause the station must reauthenticate with the new AP and agree on encryptionkeys. In
fact, 802.1X re-authentication is the most time-intensive part of the roamingprocess.To reduce this
latency, an MSM Mobility or Premium Mobility Controller appliesopportunistic key caching. When a
client sends a disassociation frame to its AP tosignal that is going to roam away from it, the AP
sends the client‘s key (moreprecisely, its pairwise master key [PMK], as you will learn in the next
module) toneighboring APs through the backed Ethernet network. The new AP receives theclient‘s
association request. Rather than implement the full 802.1X authenticationprocess, the AP
proceeds directly to a brief handshake in which it verifies that theclient is using the correct PMK.
The client must also support opportunistic key cachingso that it keeps the key for the new
association.
Opportunistic key caching provides the following benefits to clients that support it:
-Eliminates delays associated with reauthentication-Provides hand-offs in less than 50 ms, as
required for time-sensitive services suchas voice-Preserves a user‘s RADIUS-assigned parameters
such as security, QoS, andVLAN, enabling a smooth transition of all services to which the user
has accessNote that VSCs that do not implement 802.1X authentication neither
support—norrequire—opportunistic key caching for achieving roams under 50 ms. For example,in
a VSC with no authentication and encryption, the client simply needs to associateto the new AP.
For a VSC that enforces WPA/WPA2-PSK, all APs and clients alreadyknow the PMK.