Home > Wireless LAN > WiFi Basics and Best Practices > Pairwise Master Key and Opportunistic Key Caching - PMK and OKC

Pairwise Master Key and Opportunistic Key Caching - PMK and OKC

Table of contents
No headers

Described in the 802.11i standard (section 8.4.1.2.1), there exists a methodology by which clients undergoing an 802.1x authentication process can skip the EAP exchange whilst roaming between APs. This technique is known as PMK (Pairwise Master Key) caching.  

When a client first associates to an AP under an 802.1x authentication architecture, an EAP exchange takes place, followed by a 4-way handshake to verify encryption keys. Using PMK caching, an AP can cache the PMK identifier of the EAP exchange, and upon subsequent authentications, the EAP exchange process will be eliminated, decreasing authentication time. The client will thus immediately undergo the 4-way handshake process upon reassociation with an AP, ensuring a minimal latency whilst roaming. In this fashion, once a client undergoes the 802.1x authentication process on a specific AP, roams away to a different AP, and returns to reassociate to an AP to which they have previously associated, PMK caching will decrease authentication time and enable optimal performance of latency sensitive applications such as VoIP. 

 

An extension of this technique is known as OKC (Opportunistic Key Caching), a method not defined in 802.11i but necessary to enable optimized roaming at layer 2 for client devices moving between APs. Using OKC, all APs on the same layer 2 network will receive a copy of a client's PMK ID, enabling client devices authenticated via 802.1x to authenticate with decreased latency whilst roaming. In this fashion, even if a client has not been seen by a previous AP, it will be able to skip the EAP exchange process and go straight to the 4-way handshake to verify encryption keys (as long as it has undergone the full 802.1x authentication with an AP on the same layer 2 network).

 

For more information on PMK and OKC implementation on Meraki APs, please refer to our documentation on Roaming Technologies.

You must to post a comment.
Last modified
12:59, 25 Oct 2016

Tags

Classifications

This page has no classifications.

Article ID

ID: 1646

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community