cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

478
Views
15
Helpful
2
Replies
Highlighted
Beginner

How to enable / disable OKC on Cisco 2504 WLC WLAN?

This document shows how to enable / disable sticky key caching (SKC). How do you enable / disable opportunistic key caching (OKC)?

Everyone's tags (4)
2 REPLIES 2
Cisco Employee

Re: How to enable / disable OKC on Cisco 2504 WLC WLAN?

As far as I know, OKC is enabled by default, and there is no way to disable OKC.

If using WPA2/AES, OKC will always be enabled.

VIP Mentor

Re: How to enable / disable OKC on Cisco 2504 WLC WLAN?

Yes, By default OKC enable when you configure WPA2-AES on a 802.1X SSID of a WLC. It is stated in the same document you refer.

config wlan security wpa wpa2 cache sticky enable wlan_id

By default, SKC is disabled and opportunistic key caching (OKC) is enabled.

 

If you want to know more details about OKC, here is the document you need to refer

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html#anc16

 

"Opportunistic Key Caching (OKC), also known as Proactive Key Caching (PKC) (this term is explained in greater detail in a note that follows), is basically an enhancement of the WPA2 PMKID caching method described previously, which is why it is also named Proactive/Opportunistic PMKID Caching. Hence, it is important to note that this is not a fast-secure roaming method defined by the 802.11 standard and is not supported by many devices, but just like PMKID caching, it works with WPA2-EAP.

 

This technique allows the wireless client and the WLAN infrastructure to cache only one PMK for the lifetime of the client association with this WLAN (derived from the MSK after the initial 802.1X/EAP authentication with the Authentication Server), even when roaming between multiple APs, as they all share the original PMK that is used as the seed on all WPA2 4-way handshakes. This is still required, just as it is in SKC, in order to generate new encryption keys every time the client reassociates with the APs. For the APs to share this one original PMK from the client session, they must all be under some sort of administrative control, with a centralized device that caches and distributes the original PMK for all of the APs. This is similar to the CUWN, where the WLC performs this job for all of the LAPs under its control, and uses the mobility groups in order to handle this PMK between multiple WLCs; therefore, this is a limitation on autonomous AP environments."

 

HTH

Rasika

*** Pls rate all useful responses ***

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards