What is CCKM, and how does it affect Fast and Secure Roaming?
Some applications that run on a client device may require fast roaming between Access Points (APs). Voice applications, for example, require seamless roaming to prevent delays and gaps in conversation. Support for fast roaming is available for LEAP-enabled clients in Install Wizard version 1.1 or later.
CCKM Fast Secure Roaming
CCKM (Cisco Centralized Key Management) fast secure roaming is enabled automatically for CB21AG and PI21AG clients using WPA/WPA2/CCKM with LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2). However, this feature must be enabled on the access point.
During normal operation, EAP-enabled clients mutually authenticate with a new access point by performing a complete EAP authentication, including communication with the main RADIUS server. However, when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables Cisco client devices to roam from one access point to another typically in under 150 milliseconds (ms). CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
If you want to enable CCKM fast secure roaming on the client adapter, you must choose the WPA/WPA2/CCKM security option on the Profile Management (Security) window, regardless of whether you want the adapter to use WPA or WPA2. The configuration of the access point to which your client adapter associates determines whether CCKM will be used with 802.1x, WPA, or WPA2.
Access points must use Cisco IOS Release 12.2(11)JA or later to enable CCKM fast secure roaming. Refer to the documentation for your access point for instructions on enabling this feature.
The Microsoft Wireless Configuration Manager and the Microsoft 802.1X supplicant, if installed, must be disabled in order for CCKM fast secure roaming to operate correctly. If your computer is running Windows XP and you chose to configure your client adapter using ADU during installation, these features should already be disabled. Similarly, if your computer is running Windows 2000, the Microsoft 802.1X supplicant, if installed, should already be disabled. Refer to Chapter 10, if you need additional information.
Cisco Centralized Key Management (CCKM) helps to improve roaming. Only the client can initiate the roaming process, which depends on factors such as these:
Overlap between APs
Distance between APs
Channel, signal strength, and load on the AP
Data rates and output power
A wireless client that starts to search for a stronger signal depends on its roaming algorithm, which is different for different client cards. A Cisco wireless client card continualy scans for a better AP. This causes the client card to look for a better AP when the signal strength of its associated AP is less than the specified value.
The user can specify the time and signal strength in ACU version 6.1 or later, which is included in Install Wizard version 1.1 or later.
CCKM-authenticated client devices can roam from one AP to another without any perceptible delay during reassociation. An AP on the network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS APs cache of credentials dramatically reduces the time required for re-association when a CCKM-enabled client device roams to a new AP. When a client device roams, the WDS AP forwards the client's security credentials to the new AP. The re-association process is reduced to a two-packet exchange between the roaming client and the new AP. Roaming clients reassociate so quickly that there is no perceptible delay in voice or other time-sensitive applications.
CCKM (Cisco Centralized Key Management)
Wireless Domain Services (WDS)
CCKM settings can be configured on both the AP (Cisco IOS ) and the client. CCKM is not supported on Vx-works-based APs.
Hi all, I must implement QoS on a 5520 WLC already working in local mode, I am new to QoS on WLC and I can't find much on the web. Any help for a usefull guide of how to configure QoS on WLC? I know differences between DSCP, ToS, CoS, and DSCP i...
Hi,I just upgraded firmware of WLC to 17.3.20200621 but after the upgrade, whenever i login to controller it shows password policy message.I tried configuring password policy by going to Configuration -> AAA -> AAA Advanced -> Password policymade...
hi everybody i have tested wired guest lan with one C9800 Foreign in the LAN and one C9800 Anchor in the DMZ.it works very well with this.but with this architecture "foreign/anchor", i must have 2 C9800 and use a DMZ. it's possible to use a gues...
Hi,Currently have a couple of C9800 controllers in a LAB environment for a POC. They both at this time connect to the same switch but on different subnet's so no firewall to consider. Each WLC can ping each other, yet I am struggling to bring up the ...