Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/wifi/help/en-us/index.html?contextId=roaming-best-practices

Roaming best practices

Roaming occurs when a wireless device moves out of the coverage area of one access point and connects to another with a stronger signal. Devices start roaming when the signal strength drops below a certain level, usually around –70 dBm. However, this threshold can vary based on the device and its configuration.

Wi-Fi coverage

In Wi-Fi network design, wireless devices must receive a strong and consistent signal for the best user experience. Each access point creates a coverage area with a signal strong enough to provide a reliable connection. In an environment with optimal coverage, wireless devices can see at least two access points, ideally three. However, if the coverage area is too small or too large, it negatively impacts roaming.

The Received Signal Strength Indicator (RSSI) value measures how strong a wireless signal is at a device. An RSSI value of -67 dBm for voice and -72 dBm for data is considered the minimum for reliable connections and seamless roaming. At this strength, devices can maintain stable connections without significant packet loss or degradation in performance. This value also helps define the boundary of a coverage area and the point at which a wireless device starts roaming by searching for another access point with a stronger signal. Make sure the boundary of each access point reaches this signal strength to guarantee wireless devices experience smooth roaming without disconnections and maintain data integrity during the transition between access points.

Note

While -70 dBm is considered the optimal RSSI for initiating roaming, you can adjust this in your environment. See Smart handover.

Coverage overlap

To facilitate roaming, access points' coverage areas must overlap. This overlap ensures that when a device moves away from one access point's coverage area, it can seamlessly connect to another without experiencing a drop in signal strength. The overlap must be large enough for timely and confident roaming, yet small enough to avoid interference and congestion. We recommended a 15 to 20% overlap between coverage areas for optimal performance. This ratio ensures that as a device moves through the coverage area, it can seamlessly roam from one access point to another without experiencing a drop in signal quality.

We recommend a 10 to 15 dBm gap between the current access point and the next in coverage overlap for reliable roaming. For example, if the RSSI threshold for roaming is set at -70 dBm, when a wireless device moves away from an access point and reaches that threshold, there must be another access point in range with an RSSI of at least -60 dBm for the wireless device to roam seamlessly between them. The 10 to 15 dBm rule ensures that wireless devices don't bounce back and forth between access points and only roam when there's a clear improvement in signal quality.

Tip

A site survey can help you identify the coverage overlap in your environment. See Site survey.

Overlap too small

If the overlap between coverage areas is less than 10%, wireless devices experience weak or intermittent connections as they move between coverage areas. Because the overlap is small, wireless devices miss the opportunity to discover the next access point before the current one's signal becomes too weak. The overlap isn't wide enough for the device to scan, detect, and reliably connect to a new access point. RSSI values are too low to trigger a handoff, and when a device reaches its roaming threshold, the new access point isn't strong enough to make it a viable roaming candidate. Instead, the wireless device clings to the original access point for as long as possible, becoming what's known as a sticky client. Once the signal weakens, the device will finally roam, but it'll experience dropped connections and poor performance until it's closer to the new access point.

Overlap too large

While some overlap is essential for roaming, excessive overlap can lead to interference and performance issues. Wireless devices choose access points based on signal and performance. If multiple access points appear identical, wireless devices become sticky clients and stay connected to the original one, even if roaming is beneficial. When the overlap between access points is more than 30%, both access points can appear equally strong. Wireless devices can become sticky clients because they can't easily decide whether to stay connected to the current access point or roam to a new one. This behavior can also cause load-balancing issues when wireless devices don't distribute themselves evenly amongst the available access points.

Large overlaps also introduce the potential for performance issues caused by co-channel interference (CCI). This happens when access points overlap on the same or adjacent channels. The access points can interfere with each other's signals, reducing throughput and increasing latency. See Non-overlapping channels.

Sophos configuration

Sophos AP6 access points support several features to improve roaming in your environment. You can configure 802.11k, 802.11r, and smart handover for more efficient roaming and a better user experience. These features work best when configured together to offer the best network performance and user experience.

802.11k

802.11k allows access points to gather and report information about the environment. This information includes signal strength, channel utilization, interference, and other information about neighboring access points. It helps wireless devices make quicker, smarter roaming decisions by reducing the time needed to find suitable networks and improving handoff. 802.11k is turned on by default on all SSIDs.

Besides helping wireless devices make better roaming decisions, 802.11k can improve network performance by reducing the number of devices and time spent scanning for neighboring access points. Since the information provided to devices also includes the number of devices connected to neighboring access points, it also improves performance by allowing wireless devices to load-balance themselves by choosing less-congested access points when roaming.

Note

While 802.11k improves roaming efficiency, it doesn't reduce authentication time when a wireless device roams. The authentication process can still introduce delays, especially in networks using WPA2-PSK. Also, not all wireless devices support 802.11k. Some legacy devices may not recognize or properly handle the neighbor reports, leading to connectivity issues.

802.11r

802.11r, or fast roaming, reduces the amount of time needed for a wireless device to authenticate with a new access point when roaming. It allows access points to share encryption keys and pre-authenticate wireless devices as they roam.

Allowing access points to share encryption keys and wireless devices to pre-authenticate can reduce roaming time by a factor of ten, from hundreds of milliseconds down to as little as 40 or 50 milliseconds. This sharing can also improve network performance by reducing authentication overhead and repeated RADIUS or WPA2 handshakes for networks using WPA2 and WPA3 enterprise with remote authentication servers. Fast roaming also improves the user experience by allowing uninterrupted media streaming and VoIP calls while roaming between access points.

Not all devices or environments support fast roaming. We don't recommend using fast roaming in the following instances:

  • If you have incompatible devices in your environment, don't use fast transition roaming or create a separate SSID for incompatible devices. Some legacy and vendor-specific clients may fail to connect or experience roaming issues.
  • If your environment doesn't use enterprise authentication, the benefit is minimal. The benefit is greater when 802.11r allows wireless devices to skip repeated authentication handshakes and eases the load on RADIUS servers.
  • You can't use fast transition roaming in mixed deployments involving Sophos APX access points. APX and AP6 access points can't share wireless device authentication information. See AP6 and APX mixed deployment guide.

Fast transition roaming can also pose a security risk in environments where the SSID is accessible outside a controlled area. See Fast roaming.

Smart handover

Smart handover helps wireless devices trigger the roaming process faster for applications and environments that require a stronger, stable connection. You can configure this for the 2.4, 5, and 6 GHz frequency bands from the local AP6 UI. This feature lets you set the RSSI threshold at which a wireless device must disconnect and roam to another access point. The default value is -80 dBm.

We recommend conducting a thorough site survey before turning this feature on and configuring it. Wireless devices below the configured threshold disconnect from the access point and begin searching for a new access point. If the value is too high, a device will disconnect before finding another suitable access point, causing service disruption and a poor user experience. Post-deployment surveys and monitoring will also help ensure the threshold remains properly configured.