A robust security network (RSN), such as a Wi-Fi Protected Access 2 (WPA2)-based network (e.g., using a security method that provides data protection and network access control), includes a mechanism for establishing a secure wireless connection with a client device. With such a mechanism, an access point of the network (e.g., that recognizes the wireless client device) may provide a pairwise master key identification (PMKID) to the client. The PMKID may refer to a previous authentication and enables the access point and the client to reestablish a secure connection via a fast four-way handshake (e.g., method used by a client and an authenticator (e.g., an access point) to derive pairwise transient keys (PTKs) which are used for encrypting data frames). The PMKID is generated from a pairwise master key (PMK) and media access control (MAC) addresses of the client and the access point. If the PMKID sent by the access point is not recognized by the client, a full authentication of the client must occur (e.g., requiring the client to provide a password and/or other authentication information). The full authentication process may consume a substantial amount of time and may disrupt connection of the client with the network.
Current RSN implementations (e.g., used by a wireless network interface card or wireless card associated with the client) report a list of potential roaming candidates (e.g., access points) in a wireless network. The wireless client can pre-calculate PMKIDs using a most recent encryption key (e.g., the most recent PMK) and the MAC addresses for each of the access points. The client can add the pre-calculated PMKIDs to its cache along with other PMKIDs corresponding to previously successful authentications. Such an arrangement is called “opportunistic key caching” and is based on the assumption that a smart switch (e.g., associated with the RSN) manages the access points or that the access points share encryption keys (e.g., PMKs) through some mechanism. However, the number of access points reported by the wireless card to the client is limited, and, in many cases, is significantly fewer than the number of available access points. Thus, if the client attempts to roam to an access point not reported by the wireless card, a full authentication of the client must occur.
Many RSN environments include multiple access points controlled by a switch. The switch may be aware of wireless clients and may store encryption keys in order to speed up subsequent wireless connections when a client roams to another access point on the same wireless network. Opportunistic key caching allows the wireless client to pre-calculate a limited number of potential future associations (e.g., with access points). However, there is no guarantee that the client will roam to one of these access points.