This chapter covers wireless roaming concepts essential for the CompTIA Network+ N10-009 exam, including Basic Service Set (BSS), Extended Service Set (ESS), and fast roaming protocols. Understanding these topics is critical because roaming directly impacts user experience in enterprise Wi-Fi networks, and exam questions frequently test the differences between BSS and ESS, as well as the mechanisms of fast roaming such as 802.11r. Approximately 5-10% of the Network Implementation domain questions touch on wireless roaming, making this a high-yield area for study.
Jump to a section
Imagine you are walking through a large office building while on a phone call using a cordless phone. The building has multiple base stations, each covering a specific zone. As you move from one zone to another, your phone must switch from the current base station to the next without dropping the call. This is similar to a wireless client roaming between access points (APs) in a wireless LAN. In the cellular analogy, when you move from one cell tower's coverage area to another, the network performs a handoff. The phone continuously measures signal strength from nearby towers and reports to the current tower. When a better signal is detected, the network coordinates the transfer, reassigning the call to the new tower. In Wi-Fi, the client makes the roaming decision based on signal quality, but the APs must support fast roaming mechanisms like 802.11r to avoid delays. Without fast roaming, the client must complete a full authentication and association with the new AP, causing a noticeable gap. With 802.11r, the client uses a cached key from the initial authentication to quickly re-authenticate, just as a cellular network uses a visitor location register to quickly hand off the call. The analogy breaks down slightly because cellular handoffs are network-initiated, while Wi-Fi roaming is client-initiated, but the goal is the same: maintain seamless connectivity as you move.
What is Wireless Roaming?
Wireless roaming refers to the process by which a Wi-Fi client moves from one access point (AP) to another while maintaining an active network connection. In a wireless LAN, each AP creates a Basic Service Set (BSS), which is a coverage area identified by a BSSID (the MAC address of the AP's radio). When multiple APs are connected to the same wired network and share the same SSID (network name), they form an Extended Service Set (ESS). Roaming within an ESS allows a client to move seamlessly between APs without re-authenticating to the network, provided the roaming is handled correctly.
Why Roaming Exists
Roaming is necessary because Wi-Fi has limited range. An AP typically covers 30-50 meters indoors. In large environments like offices, campuses, or hospitals, multiple APs are deployed to provide continuous coverage. Without roaming, a client would need to disconnect from one AP and manually connect to another, causing service interruption. Roaming automates this transition, enabling mobility for voice calls, video streaming, and real-time applications.
How Roaming Works – Layer 2 and Layer 3
Roaming can occur at Layer 2 (same subnet) or Layer 3 (different subnets). Layer 2 roaming is simpler: the client's IP address remains the same because all APs are on the same VLAN/subnet. The client simply reassociates with a new AP, and the switch learns the new MAC-to-port mapping via transparent bridging. Layer 3 roaming requires the client to obtain a new IP address or use a tunneling protocol like CAPWAP to keep the original IP. Most enterprise Wi-Fi deployments use a controller-based architecture where the controller handles mobility, allowing Layer 3 roaming transparently.
Key Components and Values
BSSID: The MAC address of the AP's radio. Each BSS has a unique BSSID.
SSID: The network name shared by all APs in an ESS.
ESSID: Same as SSID; the identifier for the extended service set.
802.11r (Fast BSS Transition): A standard that reduces roaming latency by using a cached key derived from the initial authentication (PMK). It allows the client to perform a 4-way handshake with the new AP using the same PMK, skipping the full 802.1X/EAP authentication.
802.11k (Radio Resource Measurement): Enables clients to request neighbor reports from the current AP, providing a list of nearby APs with their channels and signal strengths. This helps clients make better roaming decisions.
802.11v (Wireless Network Management): Allows the AP to suggest roaming to a client based on network conditions (e.g., load balancing, BSS Transition Management).
Roaming Latency: The time it takes to complete the transition. For voice applications, latency should be below 50 ms. Without fast roaming, latency can exceed 100 ms due to full authentication.
PMK (Pairwise Master Key): Derived from the 802.1X authentication. With 802.11r, the PMK is cached and used for fast roaming.
Configuration and Verification Commands
On a Cisco wireless controller (WLC), fast roaming is configured under the WLAN settings:
config wlan security ft {enable|disable} {wlan_id}
config wlan security ft over-the-ds {enable|disable} {wlan_id}To verify roaming behavior on a client, use:
show client detail <client_mac>Look for fields like "Roaming History" or "FT Status". On a Linux client, you can use:
iw dev wlan0 linkTo see the current BSSID and signal strength. For debugging, use:
iw dev wlan0 station dumpThis shows roaming statistics like "connected time" and "signal avg".
Interaction with Related Technologies
802.1X/EAP: Full authentication with a RADIUS server is performed only on initial connection. Fast roaming relies on cached PMKs to avoid re-authentication.
CAPWAP: In controller-based deployments, APs tunnel traffic to the controller. Roaming decisions are made by the controller, which can forward traffic to the new AP.
DHCP: Layer 3 roaming may require DHCP renewal. Some deployments use IP mobility or anchor controllers to preserve the IP address.
QoS: Roaming can affect QoS if latency spikes. Fast roaming protocols help maintain QoS for voice and video.
Fast Roaming Mechanisms
Over-the-Air (OTA) vs. Over-the-DS (DS): 802.11r defines two methods for key distribution. In OTA, the client receives the PMK during the initial authentication and uses it with the new AP over the air. In DS, the current AP forwards the PMK to the new AP via the distribution system (wired network). OTA is more common in enterprise deployments.
PMK Caching: The client and AP cache the PMK after initial 802.1X authentication. When roaming, the client sends a reassociation request with a PMKID derived from the cached PMK. The new AP checks its cache and, if found, proceeds with a 4-way handshake using the cached PMK, reducing latency.
Opportunistic Key Caching (OKC): A proprietary Cisco implementation that caches PMKs on all APs in the same mobility group. When a client roams, the new AP already has the PMK, so full authentication is skipped. OKC is similar to 802.11r but not standardized.
Timers and Thresholds
Roaming Trigger: Clients typically start scanning for a new AP when the signal strength drops below a threshold (e.g., -70 dBm) or the signal-to-noise ratio (SNR) falls below 25 dB.
Scan Time: Clients may scan all channels (2.4 GHz and 5 GHz) for nearby APs. This takes 100-500 ms depending on channel count.
Authentication Time: Full 802.1X authentication can take 300-1000 ms. Fast roaming reduces this to under 50 ms.
DHCP Time: If the client needs a new IP, DHCP can add 1-2 seconds. Layer 2 roaming avoids this.
Common Pitfalls
Sticky Clients: Clients that hold on to a weak signal instead of roaming. Use 802.11v to encourage roaming.
Channel Congestion: If the new AP's channel is congested, roaming may not improve performance.
Inconsistent SSID Configuration: All APs must have the same SSID, security settings, and VLAN assignment for seamless roaming.
Missing Fast Roaming Support: If the client or AP doesn't support 802.11r, roaming latency will be high.
Client detects weak signal
The client continuously monitors the signal strength from its current AP. When the signal drops below a predefined threshold (commonly -70 dBm), or when the number of missed beacons exceeds a limit (e.g., 3 consecutive missed beacons), the client initiates a scan. The client may perform a background scan by briefly switching channels without disconnecting, or it may perform a full scan after disconnecting. The scan listens for beacon frames from other APs on all supported channels. This step is critical because premature or delayed scanning can cause connectivity issues.
Client selects candidate AP
After scanning, the client compiles a list of APs with the same SSID. It evaluates signal strength, channel utilization, and supported security methods. The client typically selects the AP with the highest signal strength (RSSI). However, with 802.11k, the current AP can provide a neighbor report that includes channel and load information, helping the client choose a less congested AP. The client then sends a probe request frame to the candidate AP to confirm it is still available and to gather additional information like supported rates and capabilities.
Client initiates re-association
The client sends a Reassociation Request frame to the new AP. This frame includes the MAC address of the old AP and the client's capabilities. If fast roaming is supported (802.11r), the request includes a PMKID (Pairwise Master Key Identifier) derived from the cached PMK. The client also includes the Mobility Domain Identifier (MDIE) to indicate it is roaming within the same ESS. The new AP checks its PMK cache for the corresponding key. If found, it proceeds to the 4-way handshake; otherwise, it triggers a full 802.1X authentication.
New AP authenticates client
If the PMK is cached, the new AP and client perform a 4-way handshake to derive session keys. This takes approximately 10-20 ms. If no cached PMK exists, the AP initiates 802.1X/EAP authentication with the RADIUS server, which can take 300-1000 ms. During this time, the client is not fully connected. The new AP then sends a Reassociation Response frame indicating success. The client is now associated with the new AP. At the link layer, the transition is complete.
Network updates forwarding tables
Once the client is associated with the new AP, the wired network must update its forwarding tables. In a switched network, the switch connected to the new AP learns the client's MAC address on the new port. The old switch will eventually age out the MAC entry (default aging time is 300 seconds). If the client's IP address remains the same (Layer 2 roaming), no further changes are needed. In a controller-based deployment, the controller updates its mobility database and may forward traffic to the new AP. For Layer 3 roaming, the controller may tunnel traffic to the original AP (anchor) or update routing. The client may also need to send a gratuitous ARP to update the network's ARP cache.
Enterprise Scenario 1: Hospital with VoWiFi Phones
A large hospital deploys Wi-Fi for voice-over-Wi-Fi (VoWiFi) phones used by doctors and nurses. The network has over 200 APs across multiple floors. The primary requirement is seamless roaming with less than 50 ms latency to avoid call drops. The network uses 802.11r (Fast BSS Transition) and 802.11k for neighbor reports. The APs are configured with the same SSID and security (WPA2-Enterprise with PEAP). The controller enables fast roaming and sets the PMK cache timeout to 24 hours. During deployment, engineers discovered that some older phone models did not support 802.11r, causing call drops. They had to upgrade the phones or segment them onto a separate SSID without fast roaming. Properly configured, the roaming latency stays under 30 ms, ensuring clear calls even when moving between floors.
Enterprise Scenario 2: University Campus with High-Density
A university provides Wi-Fi for thousands of students in lecture halls, libraries, and dormitories. The network uses a controller-based architecture with APs on different subnets per building. Layer 3 roaming is handled by the controller using CAPWAP tunneling. The network uses 802.11v to encourage clients to roam to less congested APs. During peak hours, some clients stick to a weak AP because they don't scan aggressively. The engineers enable BSS Transition Management (802.11v) to send disassociation hints to clients with poor signal. They also set the RSSI threshold to -72 dBm for roaming triggers. Misconfiguration of the VLAN mapping caused some clients to lose connectivity when roaming between buildings because the new AP assigned a different VLAN. The fix was to ensure all APs in the same mobility group use the same VLAN for the SSID.
Enterprise Scenario 3: Retail Store with Inventory Tablets
A retail chain uses Wi-Fi tablets for inventory management. The store has 10 APs covering a 50,000 sq ft area. The tablets run a custom app that requires constant connectivity. The network uses WPA2-PSK with fast roaming (802.11r) to reduce latency. However, the tablets did not support 802.11r initially, so roaming took over 500 ms, causing the app to time out. The vendor released a firmware update enabling 802.11r, which reduced roaming to under 100 ms. The engineers also noticed that some tablets were roaming unnecessarily due to signal fluctuations. They adjusted the roaming aggressiveness setting on the tablets to medium. Additionally, they enabled PMK caching on the APs to avoid full re-authentication on each roam.
N10-009 Objective Coverage
This topic falls under Objective 2.2: "Given a scenario, deploy the appropriate wireless networking components." Specifically, the exam tests your understanding of:
BSS (Basic Service Set) vs. ESS (Extended Service Set)
Roaming concepts and the role of SSID and BSSID
Fast roaming protocols: 802.11r, 802.11k, 802.11v
The difference between Layer 2 and Layer 3 roaming
Common Wrong Answers
"Roaming always requires re-authentication with the RADIUS server." Candidates choose this because they think security is rechecked at every AP. In reality, with fast roaming (802.11r) or PMK caching, the client uses a cached key and does not contact the RADIUS server again.
"The AP decides when a client should roam." In Wi-Fi, the client makes the roaming decision. The AP can suggest roaming via 802.11v, but the client ultimately decides. Cellular networks are network-controlled, but Wi-Fi is client-controlled.
"All APs must have different SSIDs for roaming to work." The opposite is true. For seamless roaming, all APs must share the same SSID. Different SSIDs would require the client to disconnect and reconnect manually.
"Layer 3 roaming requires the client to get a new IP address." This is true if the client moves to a different subnet, but many controller-based deployments use tunneling (e.g., CAPWAP) to preserve the original IP, making it transparent to the client.
Specific Exam Values
BSSID is the MAC address of the AP radio.
ESSID is the same as SSID.
802.11r reduces roaming latency to under 50 ms.
802.11k provides neighbor reports.
802.11v allows AP to suggest roaming (BSS Transition Management).
Typical roaming trigger threshold: -70 dBm.
Edge Cases
If the client does not support 802.11r, it will perform full authentication, causing higher latency.
If the APs are on different channels, the client must scan those channels, adding delay.
If the SSID is configured with WPA3, fast roaming uses 802.11r with SAE (Simultaneous Authentication of Equals) for key exchange.
How to Eliminate Wrong Answers
If the question mentions "seamless roaming" and "low latency," look for keywords like 802.11r, fast BSS transition, or PMK caching.
If the question asks about which device decides to roam, the answer is the client, not the AP.
If the question involves multiple APs with the same SSID, it's an ESS. If only one AP, it's a BSS.
BSS is a single AP's coverage area; ESS is multiple APs sharing the same SSID.
Roaming in Wi-Fi is client-initiated, not AP-initiated.
802.11r (Fast BSS Transition) reduces roaming latency by using cached PMKs.
802.11k provides neighbor reports to help clients find better APs.
802.11v allows APs to suggest roaming to clients (BSS Transition Management).
Layer 2 roaming keeps the client's IP address; Layer 3 roaming may require a new IP or tunneling.
Typical roaming trigger threshold is -70 dBm signal strength.
PMK caching is key to fast roaming; it avoids full 802.1X authentication on each roam.
All APs in an ESS must have the same SSID and security settings for seamless roaming.
Without fast roaming, authentication latency can exceed 100 ms, causing disruptions for real-time applications.
These come up on the exam all the time. Here's how to tell them apart.
Layer 2 Roaming
Client stays on the same IP subnet.
No DHCP renewal needed.
MAC address learning updates switch forwarding tables.
Simpler and faster transition.
Common in small to medium networks with a single VLAN.
Layer 3 Roaming
Client moves to a different IP subnet.
Client may need to obtain a new IP address via DHCP.
Requires tunneling (e.g., CAPWAP) or IP mobility to preserve the original IP.
More complex and may introduce higher latency.
Common in large networks with multiple VLANs per location.
Mistake
Roaming is always initiated by the access point.
Correct
In Wi-Fi, roaming is client-initiated. The client decides when to roam based on signal strength and other metrics. The AP can influence the decision via 802.11v, but it cannot force the client to roam.
Mistake
All APs in an ESS must have the same BSSID.
Correct
Each AP radio has a unique BSSID (its MAC address). The SSID is the same across the ESS, but BSSIDs are different. Clients use BSSID to identify specific APs.
Mistake
802.11r eliminates the need for 802.1X authentication entirely.
Correct
802.11r only speeds up the roaming process by using cached keys. The initial connection still requires full 802.1X authentication. Subsequent roams use the cached PMK.
Mistake
Layer 3 roaming requires the client to change its IP address.
Correct
While the client does move to a different subnet, many enterprise deployments use tunneling (e.g., CAPWAP) to keep the client's original IP address active, making Layer 3 roaming transparent.
Mistake
Roaming only works on the same channel.
Correct
Clients can roam to an AP on a different channel. The client must scan other channels, which adds latency, but it is supported. 802.11k can help by providing a list of APs with their channels, reducing scan time.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A Basic Service Set (BSS) is a single access point and its associated clients, identified by a BSSID (the AP's MAC address). An Extended Service Set (ESS) is a group of two or more BSSs (APs) that share the same SSID and are connected to the same wired network, allowing clients to roam between them. For the exam, remember that BSS is a single cell, ESS is multiple cells with the same network name.
802.11r, also known as Fast BSS Transition, reduces the time it takes for a client to roam between APs. It works by caching the Pairwise Master Key (PMK) from the initial 802.1X authentication. When the client roams to a new AP, it sends a Reassociation Request with a PMKID derived from the cached PMK. The new AP checks its own cache (or retrieves it from the old AP over the DS) and proceeds directly to the 4-way handshake, skipping the full authentication. This reduces latency from hundreds of milliseconds to under 50 ms.
802.11k (Radio Resource Measurement) helps clients make better roaming decisions by providing a neighbor report. The current AP can send a list of nearby APs with their BSSIDs, channels, and signal strengths. This allows the client to scan only those channels, reducing scan time and improving roaming efficiency. It is often used alongside 802.11r for optimal performance.
Yes, a client can roam to an AP on a different channel. However, the client must scan that channel before associating, which adds latency. With 802.11k, the client knows the channel in advance, minimizing delay. Without it, the client may have to scan all channels, increasing roaming time.
If the client roams to an AP on a different VLAN (Layer 3 roaming), its IP address may change unless the network uses a tunneling protocol like CAPWAP or a mobility anchor. In controller-based deployments, the controller can tunnel traffic from the new AP back to the original AP, preserving the client's IP. Otherwise, the client must obtain a new IP via DHCP, which can cause a brief interruption.
This is known as the 'sticky client' problem. Some clients are configured with aggressive roaming thresholds or lack support for 802.11v. They may hold on to a weak signal because they don't scan frequently enough. Solutions include enabling 802.11v BSS Transition Management to encourage roaming, adjusting client driver settings, or lowering the AP's transmit power to force earlier roaming.
PMK caching is a method where the client and AP cache the Pairwise Master Key after initial authentication. When roaming, the client sends a PMKID, and if the new AP has the key cached, it skips full authentication. 802.11r standardizes this process and adds features like key distribution over the DS. PMK caching is a simpler mechanism that may be proprietary (e.g., Cisco OKC), while 802.11r is an IEEE standard.
You've just covered Wireless Roaming: BSS, ESS, and Fast Roaming — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?