wpa_supplicant roaming question

Jouni Malinen j
Sat Sep 10 13:58:21 PDT 2011

On Thu, Sep 01, 2011 at 04:18:47PM -0400, Matt Causey wrote:
> On Thu, Sep 1, 2011 at 3:53 PM, Janusz Dziedzic
> <janusz.dziedzic at gmail.com> wrote:
> > 2011/9/1 Matt Causey <matt.causey at gmail.com>:
> >> On Thu, Sep 1, 2011 at 1:17 AM, Janusz Dziedzic
> >> <janusz.dziedzic at gmail.com> wrote:
> >>> 2011/8/31 Matt Causey <matt.causey at gmail.com>:

> >>>> In our use case, we have a large number of access points and they can
> >>>> drop offline for maintenance periodically. ?What would folks recommend
> >>>> we do to keep these BSSID's from becoming permanently blacklisted just
> >>>> because they needed to reboot?

The blacklisting mechanism in wpa_supplicant is not "permanent". It is
only used to allow other APs to be used if an AP does not work (or much
more likely, is trying to use some proprietary load balancing

The problem that you are likely seeing is in the blacklist clearing
trigger not getting hit since there are other APs that are good enough
to work, but not really ideal for the particular station.

> >> This functionality as it stands is a show-stopper for us so I've
> >> commented out the call to wpa_blacklist_add()

Please be aware that disabling blacklisting and make the station not
behave in the way that some managed APs handle load balancing..

> >> ?I kind of wish that we could at least configure this behavior because
> >> it's pretty broken currently. ?I can see the rationale...the idea is
> >> that if a BSSID is impaired in some way, but is the strongest BSSID
> >> for a network, then clients will go there and have a bad experience.
> >> Unfortunately I think that the heuristic needs more work.

The BSS with the strongest signal strength may not to want to service
the specific station for load balancing reasons.. This was getting very
painful in some networks where wpa_supplicant continued to pick the
"best" AP and the AP just rejected association.. It could take ages to
get any kind of connectivity in such network.

> > In case of black_list ?- maybe good idea is to add time parameter for
> > each blacklisted AP.
> > In such case we could add APs to blacklist for specyfic amount of time
> > period. After this time APs will be removed from blacklist.

> I would agree with that.  It might also be useful to make that
> configurable rather than a compile-time option.

It sounds reasonable to clear the blacklist entry after some time at
least in the case the station gets connected to another AP (if it
doesn't, running out of options will clear the blacklist anyway).

> Even with a time value, though, I'm thinking that there will be some
> edge cases that we'll discover.  I am not sure that it's the
> supplicant's job, actually, to blacklist BSSIDs at all.  I would
> submit that if we have an ESSID with multiple BSSIDs in the first
> place, we're talking about an enterprise network or at the very least
> a network that should have some robust management in place.  And if a
> network like that has BSSID's out there that are broken, it isn't the
> client's job to work around that.  Roaming to another (uh, weaker)
> access point isn't really a solution.

Unfortunately those enterprise networks with "robust management" are
very unreliable from the view point of what a station sees as far as
IEEE 802.11 standard is concerned. Since there has not been a standard
mechanism for load balancing, many odd hacks have been developed to do
that. And yes, those BSSs look very much broken from the station
view point and many of these load balancing mechanisms result in the BSS
getting blacklisted (by design). I would disagree with the blacklisting
not believing in wpa_supplicant. It is very much part of the BSS
selection process that is within wpa_supplicant in the case of
mac80211-based drivers.

Roaming to a weaker AP is very much a solution in many cases when load
balancing is used. Sure, this should not break connectivity, so some
additional consideration is needed, but the station will have hard time
in many networks if it insist on only using the AP with strongest signal

> I'm just curious...what was the failure mode that precipitated the
> blacklist feature enhancement to wpa_supplicant?

There are two main reasons for it: load balancing in enterprise networks
and AP selection for WPS.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list