I want to implement fast secure roaming (Cisco CCKM) in order to reduce the re-authentication time when roaming from one AP to another.
I have tried different configurations with different clients but it's not working.
Has anyone already implemented this ?
I have a WLC running the latest version (4.1).
My SSID is configured for WPA1/WPA2 with 802.1x + CCKM. As EAP type, I have tested P-EAP MSCHAPv2 and EAP-TLS.
The client tested is a Dell Laptop with the Intel Pro 3945a/b/g wireless card (latest release, CCXv4 compatible).
Any idea why it is not working ?
You will find in attach:
- screenshot from WCS
- screenshot from log analysis during roaming.
- screenshot of SSID layer 2 security configuration
Thanks for your help
Are you roaming betwen APs on same controller? Also can you confirm if your SSID is mapped to dynamic interface on controller or management interface?
Yes, the APs are on the same controller (there is only one controller in my setup).
The SSID is mapped to a dynamic interface, not the management.
There are some known issues with CCKM.
There is a bug "CSCsg69021" which is release noted also. The bug says "Fast roaming with WPA2+CCKM on dynamic interfaces may not operate properly"
Have a look at this link
and you can search for CCKM for known issues in the latest release.
*Pls rate all helpfull post
If you look at the client details, I'm using WPA1 not WPA2. However, AES is used.
I have also done some test with 802.1x only (no WPA) and CCKM still does not work.
Do you have a list of the configuration working ?
The bug you mentioned is resolved
CSCsg69021 [QDDTS] [CCO]
Internally found moderate (Sev3) bug: Resolved (R) In BE-MR2, fast roaming for WPA2+CCKM on dynamic interface does not work
Integrated in 004.000(206.000) 004.001(171.000)
Verified Release 004.000(199.000)
My mistake this bug is under resolved caveats in release note.
Can you give a try with configuring WPA + TKIP + authentication key management CCKM.
Also on controller just uncheck WPA2 and leave WPA 1 as checked.
We had the same issue with CCKM and the intel cards. Per Cisco the recommendation was to disable CCKM if using intel cards and this resolved our issues. Our clients were disconnected 10-12 times per 8 hour shift. In our environment CCKM wasn't needed for fast roaming which I was suprised by but my testing confirmed this.
What version of the Intel PROSet utility are you using? What's the OS platform?
Has this problem manifested itself in client data rates progressively dropping until they are disconnected?
We are (still) having this issue running 11.x of PROSet under Win2k. This version fixed the issue under XP.