This article applies to all the controllers running AOS version 18.104.22.168 and higher.
When a client (STA) connects to a WLAN network, it undergoes complete 802.1x authentication and obtains PMKID#1. When this STA roams to another AP, the following sequence of events take place:
- PMKID#1 is forwarded by the WLAN controller to the target AP (AP to which the client roams)
- Roaming STA calculates a new PMKID #2 using the original PMK #1 + Target AP MAC address + STA MAC. STA sends a re-association request frame to the target AP with this PMKID #2.
- Target AP looks at the MAC address of the STA that just sent the re-association request and calculates PMKID #2 using the same formula as used by the STA in step 2. The AP responds with a re-association response.
- 802.1X/EAP is skipped, 4-way handshake completes and final encryption keys (PTK and GTK) are generated to encrypt/decrypt user traffic.
NOTE: PMKID should be sent in (re)association packet for OKC to work. Some OKC capable clients may not send PMKID in the (re)association packets. In order to interoperate with such clients, Aruba controller checks to see if a PMKID has been cached for the client’s MAC address. If one is found, OKC will be performed.