Abstract: There is a lack of an authentication protocol for station roaming in IEEE 802.11s WLAN Mesh. And the shared key between the supplicant and the authenticator is generated by the authentication server in the current authentication protocol EMSA of IEEE 802.11s WLAN Mesh, so all the messages between them are learned by the authentication server. Moreover, the authentication mode based on the shared-key can not provide the perfect forward secrecy, which results in that all the keys generated by the shared-key are exposed. Based on EMSA, through the technique of the three-party Diffie-Hellman key exchange and separate authentication payload, a new authentication protocol is proposed, which can overcome the above shortcomings for station roaming. The new authentication protocol only needs four rounds to realize the mutual authentication and key confirmation among supplicant, authenticator and authentication server. Therefore, the four-way handshake, which is necessary in EMSA, is not required in the new solution. Furthermore, two different authentication modes, the shared-key based mode and the signature based mode, can be expressed by a single protocol in virtue of the separate authentication payload technique. When a different authentication mode is adopted, the protocol remains unchanged. Finally, the security and performance of the new protocol are analyzed. The results show that the new protocol is universally composable-secure, and has a much better performance than the current solutions.