Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Vendors that can support multi wireless access ports

I am trying to find vendors that can support "multi" wireless access ports across a campus and allow users to "roam" between the points without having to reauthenticate everytime they move buildings. The problem is that we use a Checkpoint VPN client and gateway and the IPSec protocol to connect. Are there any vendors out there that supply this type of infrastructure?
In your scenario, roaming occurs at two levels:

1) At the link layer, 802.11 stations automatically sense changes in signal strength and will (re)associate with the AP offering the best signal. Link-layer authentication (open system or shared key or 802.1X) is repeated when this occurs. The IEEE 802.11f standard under development will enable multi-vendor association handoff by defining an inter-AP protocol and recommended practices, but until that's done, you are limited to proprietary methods in homogenous WLANs.

2) At the network layer, hosts using DHCP automatically renew their IP leases when they sense interface status change (like when the station reassociates). I say most, because behavior depends on the OS (more specifically, the TCP/IP stack). If you're supporting Windows ME/XP/2K PCs, this is probably what's happening to your users. When the IP address changes, the VPN tunnel must be re-established, requiring reauthentication of the VPN client. If you're using interactive client authentication, this isn't practical. Even if you're not, applications may be disrupted by reestablishment.

My guess is that what's bothering you is really #2, not #1. If so:


  • You can use static IP assignments and treat all 802.11 stations as one big subnet. Probably not practical for you.
  • You can allocate IPs from the same DHCP server, same pool, so stations keep the same IP when they renew. Use VLAN tags to logically group all the APs into one big subnet. This works up to a point, but eventually it doesn't scale.
  • You can use a WLAN gateway that enables IPsec roaming by letting stations keep their existing IP when they move to another subnet. Details differ, but solutions include Bluesocket and ReefEdge.
  • You can use a mobile VPN instead of your Checkpoint VPN ? for example, NetMotion and Cranite Systems put client software on your stations, a server/controller somewhere in your network, and use proprietary tunnels to authenticate/encrypt traffic from roaming hosts without interruption.
  • You may also want to look at some of the new "wireless switches" that have been announced - to see if and how they can help.
This was last published in March 2003

Dig Deeper on Wireless LAN (WLAN)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.