Skip to main content
Cisco Meraki Documentation

Pairwise Master Key and Opportunistic Key Caching - PMK and OKC

Described in the 802.11i standard (section 8.4.1.2.1), there exists a methodology by which clients undergoing an 802.1X authentication process can skip the EAP exchange whilst roaming between APs. This technique is known as PMK (Pairwise Master Key) caching.  

When a client first associates to an AP under an 802.1X authentication architecture, an EAP exchange takes place, followed by a 4-way handshake to verify encryption keys. Using PMK caching, an AP can cache the PMK identifier of the EAP exchange, and upon subsequent authentications, the EAP exchange process will be eliminated, decreasing authentication time. The client will thus immediately undergo the 4-way handshake process upon reassociation with an AP, ensuring minimal latency whilst roaming. In this fashion, once a client undergoes the 802.1X authentication process on a specific AP, roams away to a different AP, and returns to reassociate to an AP to which they have previously associated, PMK caching will decrease authentication time and enable optimal performance of latency-sensitive applications such as VoIP. 

 

An extension of this technique is known as OKC (Opportunistic Key Caching), a method not defined in 802.11i but necessary to enable optimized roaming at layer 2 for client devices moving between APs. Using OKC, all APs on the same layer 2 network will receive a copy of a client's PMK ID, enabling client devices authenticated via 802.1X to authenticate with decreased latency whilst roaming. In this fashion, even if a client has not been seen by a previous AP, it will be able to skip the EAP exchange process and go straight to the 4-way handshake to verify encryption keys (as long as it has undergone the full 802.1X authentication with an AP on the same layer 2 network).

 

For more information on PMK and OKC implementation on Meraki APs, please refer to our documentation on Roaming Technologies.