Configure 802.11r WLAN using CLI and GUI on Converged Access (5760 WLC and Catalyst 3850)
Karthickeyan Prabanandhan is a Senior Test Engineer (CCNP,CWNP) in Wireless Engineering Team currently preparing for his CCIE Wireless lab. In this video series Karthick will explain "How to configure a 11r WLAN using CLI and GUI and show us the 11r roaming " on Converged Access (Cisco 5760 WLC and Cisco Catalyst 3850).
802.11r is also known, as Fast Transition (FT) is the IEEE standard for fast secure roaming. It introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP. The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the re-association request or response exchange with new target AP.
The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring re-authentication at every AP. The summary of the key hierarchy is given below. 802.11r eliminates much of the handshaking overhead while roaming thus reducing the handoff times between APs while providing security and QoS. This is useful for client devices that have delay-sensitive applications like voice and video and is key requirement for voice over Wi-Fi.
Summary of the key hierarchy:
An MSK is still derived on the client supplicant and the Authentication Server from the initial 802.1X/EAP authentication phase (transferred from the Authentication Server to the Authenticator (WLC) once the authentication is successful). This MSK, like in the other methods, is used as the seed for the FT key hierarchy. When you use WPA2−PSK instead of an EAP authentication method, the PSK is basically this MSK.
A Pairwise Master Key R0 (PMK−R0) is derived from the MSK, which is the first−level key of the FT key hierarchy. The key holders for this PMK−R0 are the WLC and the client.
A second−level key, called a Pairwise Master Key R1 (PMK−R1), is derived from the PMK−R0, and the key holders are the client and the APs managed by the WLC that holds the PMK−R0.
The third and final level key of the FT key hierarchy is the PTK, which is the final key used in order to encrypt the 802.11 unicast data frames (similar to the other methods that use WPA/TKIP or WPA2/AES). This PTK is derived on FT from the PMK−R1, and the key holders are the client and the APs managed by the WLC.
Hello, One of the main issues when multiple VLANS share the same SSID (through AAA dynamic vlan assignment) is that multicast and broadcast packets from a given VLAN are received by every wireless client on the SSID. As far as I know, there are two k...
Hello,we have two WLC-5520 in HA SSO. In AireOS version 18.104.22.168 and 22.214.171.124 it is not possible to upgrade using standard procedure (see screenshot).I have never seen this message. The only functional upgrade of WLC HA SSo is manual. First, restart t...
Hello,we have two WLC-5520 in HA SSO. After upgrading AireOS to version 126.96.36.199, I noticed that the redundancy peer port is available over SSH. Normally it can be connected and, worst of all, the CPU ACL is not applied to it.After upgrading to version ...
Does anyone know how to implement this feature on the C9800 ?Need this for a PWLAN service where I have to source the radius request from the same interface as the clients are in...At the moment the only way I see is to create this SSID for every interfac...
Hi,I tried to use a Bose 700NC Bluetooth Headset with Jabber CISCO installed on Windor10 HP ElitePro Laptop .Jabber recognize the Headset both for Speakers and Mic but if I test, only Mic is working while Speakers not.I have a colleague that is using the ...