Skip to main content
FrankY1
Staff
FrankY1
Staff
March 18, 2026

Technical Tip: Compare 802.11r and OKC for Fast-Roaming in wireless networks

  • March 18, 2026
  • 0 replies
  • 484 views
Description This article describes the differences between 802.11r (Fast BSS Transition) and OKC (Opportunistic Key Caching) fast roaming mechanisms in FortiGate-managed wireless networks, including their behavior when both are configured, and guidance on when each is preferred or takes precedence.
Scope FortiGate, FortiAP.
Solution

Overview.

802.11r and OKC are the two primary fast-roaming technologies supported by FortiGate and FortiAP to reduce client handover time when moving between access points on the same SSID. They help avoid full re-authentication delays, improving performance for real-time applications such as VoIP and video.

 

802.11r vs OKC Comparison.

 

 

802.11r (Fast BSS Transition).

OKC (Opportunistic Key Caching).

Standard.

IEEE 802.11r.

Proprietary (widely supported, no IEEE standard).

Primary Security Mode.

Best with WPA2-Enterprise / WPA3-Enterprise (802.1X).

Works with WPA2-Personal (PSK) and Enterprise.

Mechanism.

Pre-authentication and key caching (PMK-R0/R1 hierarchy) in a mobility domain; uses fast transition handshake (over-the-air or over-DS).

FortiGate caches Pairwise Master Key (PMK) after initial auth and shares PMKID with APs; skips full EAP on roam.

Roaming Latency.

Very low (<50 ms).

Low (50–150 ms).

Client Requirement.

Client must support 802.11r (most modern devices: iOS, Android, Windows 10+).

Broad support on nearly all WPA2 clients.

When Prioritized.

Preferred and used automatically if the client supports it.

Fallback when 802.11r is not supported or disabled.

 

Key FortiGate Behavior.

When 802.11r is enabled on a VAP (set fast-bss-transition enable).

  • FortiGate advertises Fast BSS Transition capability in beacons and the RSN information element.
  • Clients that support 802.11r will use Fast BSS Transition (802.11r) for roaming; this takes precedence over OKC.
  • Clients that do not support 802.11r fall back to OKC (if enabled) or perform a full re-authentication.
  • Enabling 802.11r does not disable OKC; OKC remains available as a compatibility fallback for non-FT clients.

 

It is recommended to keep the set OKC enabled and active even when using 802.11r.

 

Related documents:

config wireless-controller vap 

Advanced SSID options
      Terms & ConditionsAccessibility statement