Wi-Fi Roaming with VigorAP

Wireless roaming is when a wireless client (station) moves around in an area with multiple access point (AP), it may automatically switch to another AP which has better signal strength.

Traditional Roaming

However, the wireless signal handover is a decision of the wireless clients, and we often find the wireless clients stick to the original connected AP which has weak wireless signal but don't roam to the AP with the stronger signal.

AP-Assisted Roaming

VigorAP provides "AP-assisted Client Roaming" which could assist the wireless clients in roaming more effectively. Network administrator could set up conditions related to RSSI or Link rate for AP to kick out the wireless clients with poor signal and help the "sticky" wireless clients transfer to the optimized connection.

Roaming Configuration on VigorAP

1. To enable wireless roaming in the network, the APs must have the same SSID and use the same security mode and password phrase.

  a screenshot of VigorAP SSID Settings  a screenshot of VigorAP Security Settings

2. Channel on each AP does not have to be the same; actually, it is recommended to use different and non-overlapping channels for each AP to avoid interference between them.

a screenshot of VigorAP Channel Settings

3. After preparing the SSID, go to Wireless LAN >> Roaming and set up the parameters.

a screenshot of VigorAP Roaming Settings a screenshot of VigorAP Roaming Settings

Note: You can enable Basic Rate and RSSI Requirement at the same time, AP will disconnect the wireless client once it meets one of the conditions.

Checking the Client's RSSI

Network administrator could check the wireless client information such as Link Speed and RSSI from Wireless LAN >> Station List

a screenshot of VigorAP Station List

On Android devices, we can see the signal strength of each SSID. Go to Developer Options to enable WiFi Verbose logging. Then we can check the Wifi RSSI (-dBm).

a screenshot of Android

Syslog for Roaming

Network administrator could also check the message "kick" in the Diagnostics >> Syslog Explorer. It means AP had disconnected the wireless client because of AP-assisted roaming settings.

a screenshot of VigorAP Syslog

Improve Handover from the Client

If your AP does not support AP-assisted roaming, you can try change Network adapter settings on the stations. Some wireless network adapter support Roaming-Aggressive feature, which could be found on Device Manager > Wireless network adapter (Right Click) > Properties > Advanced. The client could change Roaming-Aggressiveness value to Highest.

a screenshot of Windows

Fast Roaming(WPA2 Enterprise)

802.1X authentication provides advanced security for the wireless network; but when it comes to roaming, it might cause more delay because it adds more steps to the wireless connection process. However, the network administrator may enable PMK caching and Pre-Authentication to make roaming faster.

What is PMK caching?

After a successful 802.1X authentication, a Pairwise Master Key (PMK) will be generated and shared on both station and AP. When the client roams to AP-2 from AP-1, AP-1 keeps the PMK for a cache period (set in Wireless LAN >> Roaming) in case the station will be back soon. If the station roams back to AP-1 before cache period ends, it can skip the 802.1X process and reduce the roaming delay.

With the latest firmware, VigorAP can store PMK cache for up to 64 devices per band. When VigorAP has a client station with PMK cache trying to re-associate, Syslog will show [Fast Roaming]: PMKID matched and start key cache algorithm.

A wireless client switches to another AP and then switch back.

What is Pre-Authentication?

Once the client station has done 802.1X authentication and associate with AP-1, it will request for pre-authentication with AP-2 as well. The pre-authentication will be done via the Ethernet network between AP-1 and AP-2, and both the station and AP-2 will cache the generated PMK. When the station moves closer to AP-2 and switches to AP-2, it can skip the 802.1X authentication process, thus roaming delay can be reduced.

When VigorAP receives Pre-Authentication requests, Syslog will show [Fast Roaming] Receive pre-authentication PMK from [MAC address].

A wireless client do pre-authentication with another AP on LAN

In summary, PMK caching allows the station to skip the 802.1X authentication when it roams back to the AP connected before, and Pre-Authentication enables the station to do 802.1X authentication before it connects to another AP on the same network. It is recommended to turn on this option to have fast roaming in an 802.1X network.

Enable PMK Caching and Pre-Authentication on VigorAP

Fast Transition roaming 802.11r

The 802.11r Fast Transition roaming protocol can help reduce latency when wireless clients connect to another closer AP, so is very useful for VoIP/Video or other streaming applications. VigorAP is compatible with 802.11r-enabled clients and can work in WPA2 Personal(PSK) or WPA2 Enterprise(802.1X) security mode.

To enable 802.11r roaming in the network, the Access Points must have the same SSID, use the same security mode, and password phrase. Then we can just enable the 802.11r roaming option on the Roaming page.

VigorAP903 supports two Fast Transition mechanisms, over the DS and over the Air while the other AP models support over the DS mechanism only.

  • 802.11r roaming option on VigorAP903
  • 802.11r roaming on other VigorAP
  • How can 802.11r help with roaming?

    802.11r uses Fast Basic Service Set Transition (FT). It allows encryption keys to be stored on all APs in a network. This way, the time for wireless authentication will be reduced. It means that a Wi-Fi client doesn't need to perform the complete authentication process every time it roams to a new AP within the network range.

    There are two FT mechanisms that are supported by Wi-Fi devices. When a client moves from its current AP to a target AP using the FT protocols, the message exchanges are performed using one of the following two methods:

  • Over-the-DS
  • The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the controller.

  • Over the Air
  • The client communicates directly with the target AP using IEEE 802.11 authentication, and also the FT authentication algorithm.


    1. Fast BSS Transition(FT) is operational only if the wireless client supports the 802.11r standard. If the client does not support the 802.11r standard, it falls back to the normal WPA2 authentication method. The 802.11r capable devices list can be found on the following pages;





    2. 802.11r roaming is not supported with WPA3 due to WPA3 uses a different key derivation method.

    3. 802.11r roaming is recommended to use between the same AP models. Different AP models may have different 802.11r Mobility Domain Identifier values at the moment.

    Published On:2018-08-21 

    Was this helpful?