1) At the link layer, 802.11 stations automatically sense changes in signal strength and will (re)associate with the AP offering the best signal. Link-layer authentication (open system or shared key or 802.1X) is repeated when this occurs. The IEEE 802.11f standard under development will enable multi-vendor association handoff by defining an inter-AP protocol and recommended practices, but until that's done, you are limited to proprietary methods in homogenous WLANs.
2) At the network layer, hosts using DHCP automatically renew their IP leases when they sense interface status change (like when the station reassociates). I say most, because behavior depends on the OS (more specifically, the TCP/IP stack). If you're supporting Windows ME/XP/2K PCs, this is probably what's happening to your users. When the IP address changes, the VPN tunnel must be re-established, requiring reauthentication of the VPN client. If you're using interactive client authentication, this isn't practical. Even if you're not, applications may be disrupted by reestablishment.
My guess is that what's bothering you is really #2, not #1. If so:
- You can use static IP assignments and treat all 802.11 stations as one big subnet. Probably not practical for you.
- You can allocate IPs from the same DHCP server, same pool, so stations keep the same IP when they renew. Use VLAN tags to logically group all the APs into one big subnet. This works up to a point, but eventually it doesn't scale.
- You can use a WLAN gateway that enables IPsec roaming by letting stations keep their existing IP when they move to another subnet. Details differ, but solutions include Bluesocket and ReefEdge.
- You can use a mobile VPN instead of your Checkpoint VPN ? for example, NetMotion and Cranite Systems put client software on your stations, a server/controller somewhere in your network, and use proprietary tunnels to authenticate/encrypt traffic from roaming hosts without interruption.
- You may also want to look at some of the new "wireless switches" that have been announced - to see if and how they can help.
This was first published in March 2003