What is Opportunistic Key Caching (OKC)?

Products Enterprise Wi-Fi Networks
1

Opportunistic Key Caching is a fast roaming feature built upon the PMK caching feature of 802.11 security.

When a WLAN is configured for WPA2-Enterprise, client association on that WLAN takes part in three stages:

  1. 802.11 Authentication and Association messages are exchanged between the AP and the client
  2. 802.1x EAP authentication occurs where the client provides some security credentials (username-password, certificate, mobile SIM based etc) which the AP then authenticates against a RADIUS server. This exchange is typically 8-14 messages long, depending on the EAP type used. This results in both the AP and the client receiving a master-key known as the PMK
  3. WPA2 4-way handshake where using the PMK a per-session encryption key is derived and used for encrypting all traffic between the AP and the client.

Step #2 above involves the exchange of many messages and is time-consuming, and during this period no data packets can be sent by/to that client. To speed this up, the standard allows skipping this step entirely if the client and the AP 'remember' the PMK that was derived from a previous association on that AP. So the next time a client connects, it will go straight to the WPA2 4-way handshake, right after association. 

OKC extends this another step: once a client completes this handshake with an AP, the PMK is synchronized automatically among all the APs on the network. Now if the client roams to any other AP, that AP would also have the PMK and the extensive 802.1x/RADIUS exchanges of step 2 can be skipped, making the roam a lot faster.

The following diagram illustrates a client carrying out a complete connection on AP1, then a fast roam to AP2:

OKC.png
OKC.png840×645 93.1 KB

While most new mobile wireless clients support OKC, many do not. OKC is also something initiated by the client during association (it informs the AP that it has a cached PMK) and needs both client and AP agreement of the PMK for the 802.1x/RADIUS to be skipped.

OKC can be configured under the wireless LAN advanced configuration settings. If WPA2-Enterprise is being used, we would recommend turning on OKC.

screenshot_okc.png
screenshot_okc.png1378×606 60.5 KB

2 Likes