Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3306
Views
15
Helpful
2
Replies

How to enable / disable OKC on Cisco 2504 WLC WLAN?

Sam Brynes
Level 1
Level 1

‎08-04-2019 02:55 AM - edited ‎07-05-2021 10:48 AM

This document shows how to enable / disable sticky key caching (SKC). How do you enable / disable opportunistic key caching (OKC)?

Labels:
0 Helpful
2 Replies 2

HaifengLi
Cisco Employee
Cisco Employee

‎08-04-2019 03:41 AM

As far as I know, OKC is enabled by default, and there is no way to disable OKC.

If using WPA2/AES, OKC will always be enabled.

Rasika Nayanajith
VIP
VIP

‎08-04-2019 12:55 PM

Yes, By default OKC enable when you configure WPA2-AES on a 802.1X SSID of a WLC. It is stated in the same document you refer.

config wlan security wpa wpa2 cache sticky enable wlan_id

By default, SKC is disabled and opportunistic key caching (OKC) is enabled.

 

If you want to know more details about OKC, here is the document you need to refer

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html#anc16

 

"Opportunistic Key Caching (OKC), also known as Proactive Key Caching (PKC) (this term is explained in greater detail in a note that follows), is basically an enhancement of the WPA2 PMKID caching method described previously, which is why it is also named Proactive/Opportunistic PMKID Caching. Hence, it is important to note that this is not a fast-secure roaming method defined by the 802.11 standard and is not supported by many devices, but just like PMKID caching, it works with WPA2-EAP.

 

This technique allows the wireless client and the WLAN infrastructure to cache only one PMK for the lifetime of the client association with this WLAN (derived from the MSK after the initial 802.1X/EAP authentication with the Authentication Server), even when roaming between multiple APs, as they all share the original PMK that is used as the seed on all WPA2 4-way handshakes. This is still required, just as it is in SKC, in order to generate new encryption keys every time the client reassociates with the APs. For the APs to share this one original PMK from the client session, they must all be under some sort of administrative control, with a centralized device that caches and distributes the original PMK for all of the APs. This is similar to the CUWN, where the WLC performs this job for all of the LAPs under its control, and uses the mobility groups in order to handle this PMK between multiple WLCs; therefore, this is a limitation on autonomous AP environments."

 

HTH

Rasika

*** Pls rate all useful responses ***

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card