1) At the link layer, 802.11 stations automatically sense changes in signal strength and will (re)associate with...
the AP offering the best signal. Link-layer authentication (open system or shared key or 802.1X) is repeated when this occurs. The IEEE 802.11f standard under development will enable multi-vendor association handoff by defining an inter-AP protocol and recommended practices, but until that's done, you are limited to proprietary methods in homogenous WLANs.
2) At the network layer, hosts using DHCP automatically renew their IP leases when they sense interface status change (like when the station reassociates). I say most, because behavior depends on the OS (more specifically, the TCP/IP stack). If you're supporting Windows ME/XP/2K PCs, this is probably what's happening to your users. When the IP address changes, the VPN tunnel must be re-established, requiring reauthentication of the VPN client. If you're using interactive client authentication, this isn't practical. Even if you're not, applications may be disrupted by reestablishment.
My guess is that what's bothering you is really #2, not #1. If so:
- You can use static IP assignments and treat all 802.11 stations as one big subnet. Probably not practical for you.
- You can allocate IPs from the same DHCP server, same pool, so stations keep the same IP when they renew. Use VLAN tags to logically group all the APs into one big subnet. This works up to a point, but eventually it doesn't scale.
- You can use a WLAN gateway that enables IPsec roaming by letting stations keep their existing IP when they move to another subnet. Details differ, but solutions include Bluesocket and ReefEdge.
- You can use a mobile VPN instead of your Checkpoint VPN ? for example, NetMotion and Cranite Systems put client software on your stations, a server/controller somewhere in your network, and use proprietary tunnels to authenticate/encrypt traffic from roaming hosts without interruption.
- You may also want to look at some of the new "wireless switches" that have been announced - to see if and how they can help.
Related Q&A from Lisa Phifer
The enterprise mobility management market for wearable devices is in its infancy, but IT can still use existing EMM tools to manage wearables.continue reading
Wireless expert Lisa A. Phifer explains to what extent WEP cracking remains a worrisome issue. It all depends on your company's WLAN security policy.continue reading
Wireless expert Lisa A. Phifer explains why you shouldn't stop using 802.1X authentication methods for enterprise WLAN access control.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.