CCKM

Similar Questions

• This allows a rapid Transition with assisted on Legacy SSID roaming

  Hello

  I'm under code WLC 8.0.121 (soon to be 8.0.132) and I'm looking for a quick transition with roaming assisted on my corporate network. The goal is not to have to create a SSID for customers of rapid transition.  I read that the version of code that I'm running allows for me to activate this on an existing network.  My SSID has set following parameters:

  WPA2-AES

  802. 1 x

  CCKM

  WMM enabled

  Aironet IE

  DTIM period 802. 11A - 2

  Tolerance of CCKM TSF... 5000

  Timeout of reassociation FT... 20

  I intend to follow the guide of best practices for Apple devices and implement the following technologies:

  802.11 k and 802.11r and 802.11v.

  I have a few new features that support the two CCKM and 802.11r fast transition. This device will try to use 802.11r CCKM?  How is that usually determine?   My TAC engineer said:

  "There may be older customers who may suffer disconnections if we allow both or either of these itinerant methods, given that some former clients who are not able to manage this additional information.

  My existing customers will potentially be questions if they do not support CCKM or FT?

  Any input would be apprecated.

  Thank you

  Will my existing clients potentially have issues if they don't support CCKM or FT?

  Yes, unless your customers supported FT there can be problems of connectivity with certain types of clients. You must ensure that your client devices support 802.11r before enabling this on your SSID. If you have the authority, you can enable first and see what devices affecting, but it's disruptive and undesirable. See this thread, I have listed some types of clients that support mixed mode 802.11r when version 8.0 software. This list may have increased from now https://supportforums.cisco.com/discussion/12314591/8021r-and-fast-roaming HTH Rasika * Pls note all useful responses *.

• Recommended configuration of WLC 2504 SSID with AD

  Hello

  I would ask, what oyou d think that is now the best practices and recommended solution how to configure SSDID on 2504 WLC for the following scenario. I'm new to WLC and would like to secure network.

  -any type of customer must be supported (08/07/10 win, mac, linux, iOS, android, windows mobile)

  -authentication on Win 2012 R2 NPS as RADIUS

  -any requirement of certificate client (we don't want PKI configuration for now), we want to just WLC certificate as an authentication point

  is enough [WPA2] [Auth (802. 1 X + CCKM)] who will have radius configured?

  Thank you

  Well Yes, check these

  http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/WLAN-Securit...

  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/4-2/configurati...

  Eat local point concerns small size as a small office deployments.

• 802.1R and fast roaming

  Hello world.

  I couldn't find anything in this regard. I want my customers to be able to experience a better roaming. based on my study the client goes through the process of 802. 1 x if they re - associate with different AP (even on the same WLC) and 802.1r or FT 802. 1 x option seems to be the answer, if I don't want to use CCKM server.

  first is that OK? on my debug I get this line which is saying no transfer of data at this stage when its in the process of EAPol.

  so to allow 802.1r, I chose the transition quick and on DS and also checked the FT 802.1 x.

  is that all?

  Thanks for your response

  Hello

  Thanks for debugging.

  By the way I am at the other end of AU (IE MEL) - it was 22:38 when I replied to you yesterday :)

  So here's what I found the debug, looks like not fast roaming (802.11r) happen & each time customer is going through the full process Auth & then 4 - Way handshake. I can see 6 times customer roaming to different AP, shows only first 3 here.

   *apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:59:a1:90 (status 0) ApVapId 1 Slot 0 *apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:59:a1:90 from Associated to Associated *spamApTask0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98 *Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries *Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime. *Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state *Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)

   *apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:2a:a6:b0 (status 0) ApVapId 1 Slot 0 *apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:2a:a6:b0 from Associated to Associated *pemReceiveTask: Oct 03 08:22:03.690: 00:24:2b:6f:4e:98 10.66.54.50 Removed NPU entry. *spamApTask3: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98 *Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries *Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime. *Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state *Dot1x_NW_MsgTask_0: Oct 03 08:22:03.693: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)

   *apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:30:17:10 (status 0) ApVapId 1 Slot 0 *apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:30:17:10 from Associated to Associated *spamApTask0: Oct 03 08:23:06.665: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98 *Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries *Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime. *Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state *Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)

  Regarding your version of code & 802.11r client supported, I found this during today to WLC 8.0 Delta Webinar.

  1 802.11r mixed mode support to 7.6 and 8.0 (both codes)
  2. yet few applicants (Mac OSX, Netgear, ect) don't like mixed mode WLAN, so that they can have trouble if you enable FT

  Here is the list for 802.11r joint customer supported in OS & view according to webex of today.

  802.11r_support.PNG

  

  802.11r_support - 2.png

  

  I suspect that your Dell customer may not support 802.11r & therefore do the full auth everytime.

  If possible get an output of client debugging for an iPhone or an iPad (running iOS6 or higher). We can therefore compare & see the difference.

  Hope this answer help me set up my side. :)

  He sank 4-> 3-> 2 to 3 last replies :)

  HTH

  Rasika

• WLC 5760 with AP1121G

  Guys,

  I ve got a thing who me it s kinda weird. I m trying to make a working group with wlc 5760 and an 1100 AP mode standalone, but all I get it s this error to the AP.

  * 18:45:05.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: WPAIE not found and required

  * 18:46:03.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Rcvd response of the channel 11 8861 0c68.03ea.4073

  * 18:47:47.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: combining

  configurations are:

  SSID dot11 TEST

  open authentication

  authentication wpa key management

  WPA - psk ascii 7 1416000E0F0C2379747960

  interface Dot11Radio0

  no ip address

  no ip route cache

  encryption ciphers aes - ccm mode

  SSID TEST

  base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0

  station-role workgroup bridge

  Bridge-Group 1

  Bridge-Group 1 covering-disabled people

  and on the WLC 5760,

  WLAN TEST 7 TEST

  No ssid broadcast

  customer vlan 7

  no security wpa akm dot1x

  Security wpa psk key set ascii 0 arechi2013 akm

  session-timeout 1800

  no downtime

  Sho wlan name TEST

  Security

  802.11 authentication: open system

  The static WEP keys: disabled

  802. 1 X: disabled

  Wi - Fi Protected Access (WPA/WPA2): enabled

  WPA (SSN IE): disabled

  WPA2 (RSN IE): enabled

  TKIP encryption algorithm: disabled

  AES encryption algorithm: enabled

  Management key auth

  802. 1 x: disabled

  PSK: enabled

  CCKM: disabled

  CKIP: disabled

  Can someone help me?

  1121 are not supported.  Here's a matrix showing which is taken in charge and what is not.

  http://www.Cisco.com/en/us/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp98682

  Thank you

  Scott

  Help others by using the rating system and marking answers questions as 'response '.

• Wireless Roaming

  Hello

  I have the following configuration:

  Several autonomous Cisco APs, authenticating PEAP with assignment VLAN based on the RADIUS and WPA2-AES encryption. Is it possible to offer fast between my APs roaming so that the whole process of re-authentication with radius server does not occur?

  CCKM is supported in my case (with vlan dynamic assignment)?

  Hello

  When you use security in IOS APs you WDS to achieve fast roaming.

  Basically, there is a main access point (AP WDS) that controls the RRM and authentications. All the other APs are the infrastructure APs and to report that WDS.

  This allows to centralize the associated users so that when a user goes, there no need of is re - authenticate and homelessness is fast.

  You can find more information here:

  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

  http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration_example09186a008059a559.shtml.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Requirements for WDS

  Hello

  We have a few Cisco 1100 and 1200 Accesspoints and heard about the Wireless Domain Services.

  We would like to use this Service to reduce the time of homelessness. I already read the setup guide, but there is something that I did not understand.

  I need to install a radius server in the network to use WDS or it works also without

  We want just to reduce the duration of homelessness. The increase in security is not important to us.

  Thank you

  Daniel

  The feature you mentioned is called secure fast roaming. You don't need an external radius server. (you can use a property). You can use the local radius built into IOS according to APs server.

  The most sticky part is wireless clients. You must CCKM for fast secure roaming. CCKM requires LEAP or EAP-FAST as authentication. All wireless clients are either Cisco CCXv2 complaint (for LEAP + CCKM), or the complaint (for EAP-FAST + CCKM) CCX v3. For the customers complaint CCX, please go to the following URL:

  http://www.Cisco.com/en/us/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html

  My curiosity, what is the current traveling time? What application is required for a faster time traveling? Based on my experience, you only need fast secure roaming if you use the service voice IP, Citrix or SQL applications.

• Changing of PSK auth RADIUS

  Hey all.

  My WLC 5508 is running with a dozen of AP, even if the driver is passed using pre-shared keys.  The plan should now migrate authentication Radius for our internal network... we will still use PSK in our vendor/visitor SSID.

  So 1 WLAN is internal access... 2 WLAN is internet access only.

  I'm confused the WLAN 1 configuration to do as you wish.  I would like to as authentication to hit our Radius Server, that points to AD to the user accounts.  If the user is in the AD, they are good to go.

  So in the Wlan 1 configuration screens, I can go to the Security section and select the AAA server and enter the ip address of the Radius server.  How can I activate layer 2 security now?

  I can certainly choose WPA/WPA2, adding my WPA2 AES encryption method.  However, the main methods available are confusing me, even after hours of reading.  I can't use PSK and CCKM I know the least.  The only other option is 802.1 x. s the option I should use?  If I'm trying to auth against a Radius Server without the use of certificates, is it still eligible as a process of EAP?

  I hope that my way of thinking aloud had a meaning.  It is a great learning curve for me.

  Thank you

  Mike

  Hello

  What you use is 802. 1 x authentication and point the authenticationi Radius Server, if using Windows Server, you can use the IAS service if using Cisco is known under the name of ACS. Or there is new the WLC can connect directly to the AD...

  This example configuration is with EAPfast using LDAP (AD).

  http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a008093f1b9.shtml