Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5057
Views
0
Helpful
10
Replies

How to setup CCKM

Go to solution
BJCiscoUser
Level 1
Level 1

‎10-24-2012 01:10 AM - edited ‎07-03-2021 10:54 PM

Hi,

We are rolling out 20+ APs (1042N-E-K9) and one of the VLANs is used for VoIP. We would like to enable CCKM, but are a little unsure of how to go about it after reading through many of all the documentation. We have successfully enabled one AP to serve as a WDS master, and APs shows up as registered. Below are some of our questions

     1. On the AP, what should be the settings for the SSID on which we want to enable CCKM?

          a. What Encryption Modes are allowed - can we use TKIP or AES-CCMP, or are we obliged to use CKIP-CMIC?

          b. For the SSID, can we enable both CCKM and WPA? And is CCKM with WPA2 supported (chipper AES-CCMP)

          c. For AP Authentication, what Method should we chose? TSL, FAST, or is any of them allowed?

     2. On the client machines (we are testing with a Lenovo laptop, ccx c4, and Intel pro-tools):

          a. We understand that we can choose EAP-TSL for the clients and that should be ok, is that correct?

          b. Do we need to use EAP-FAST or LEAP? And if that is the case, then it seems that MS NPS server as RADIUS is not supported…

We would very much appreciate any help with the above questions, as mentioned we read through the various documentation, but we are still unclear on the above mentioned points.

Greetings!

Erik-Benjamin Povlsen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-24-2012 06:49 AM

Erik, welcome to support forums!

1.) For CCKM and CCXv4 you should use WPA/TKIP/CCKM.  CCXv5 supports WPA2/AES/CCKM.

2.)TLS or PEAP will work fine.  You do not have to do FAST or LEAP.  IMHO LEAP needs to go the way of WEP and the dodo.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-24-2012 06:49 AM

Erik, welcome to support forums!

1.) For CCKM and CCXv4 you should use WPA/TKIP/CCKM.  CCXv5 supports WPA2/AES/CCKM.

2.)TLS or PEAP will work fine.  You do not have to do FAST or LEAP.  IMHO LEAP needs to go the way of WEP and the dodo.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
BJCiscoUser
Level 1
Level 1
In response to Stephen Rodriguez

‎10-24-2012 07:16 AM

Hi Stephen,

Thank you for taking time to answer our questions!

So just to be sure of our setup then, using CCXv4, something like this will be ok?..:

dot11 ssid VOIP
vlan 5
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
dot1x eap profile TLS
mobility network-id 5

interface Dot11Radio0
no ip address
no ip route-cache

encryption vlan 5 mode ciphers tkip

And then for the client setup just simple EAP-TSL - with certificates...

Thanks again for helping us out!

Erik-Benjamin Povlsen

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to BJCiscoUser

‎10-24-2012 07:25 AM

dot1x eap profile TLS

mobility network-id 5

the above is not needed.  that dot1x profile is for if you were using the radio as a bridge and wanted to do 802.1x.  WDS goes out over the ethernet to find the 'master' and register/join there for key management.

the mobility network-id command is for WLSM.

but other than those two things that should be removed, the rest of the config looks fine.  Just make sure you define the subinterfaces on the radio and fastethernet interfaces.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
BJCiscoUser
Level 1
Level 1
In response to Stephen Rodriguez

‎10-24-2012 07:33 AM

Thank you very much, this solved our issues.

Very nice support!

Erik-Benjamin Povlsen

0 Helpful

Go to solution
BJCiscoUser
Level 1
Level 1
In response to BJCiscoUser

‎10-25-2012 01:59 AM

Hi again Steve,

Yesterday we tried the new configuration per your suggestions. But the fast roaming (CCKM) is not working.

We are not exactly sure of what we have wrong in our configuration.

I drop in here two configuration examples, one for our WDS master, and one for a client AP - all test configurations. We would appreciate if you would have an idea of what we have wrong here. Thanks in advance!

## AP-WDS MASTER CONFIG ##

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP2

!

logging rate-limit console 9

enable secret MyEnableSecret

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius infra_devices

server 10.12.1.109 auth-port 1812 acct-port 1813

!

aaa group server radius client_devices

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_infra_devices group infra_devices

aaa authentication login method_client_devices group client_devices

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

dot11 vlan-name Network1 vlan 7

dot11 vlan-name Network2 vlan 6

dot11 vlan-name Network3 vlan 5

dot11 vlan-name Network4 vlan 4

dot11 vlan-name VoIP vlan 3

!

dot11 ssid Network1

   vlan 7

   authentication open

   authentication key-management wpa version 2

   guest-mode

   wpa-psk ascii MyWPAGuestKey

!

dot11 ssid Network2

   vlan 6

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

!

dot11 ssid VOIP

   vlan 3

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

!

dot11 ssid Network4

   vlan 4

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa version 2

!

eap profile TLS

method tls

!

eap profile FAST

method fast

!

!

!

username Me privilege 15 password 0 MySpecialPassword

!

!

!

policy-map VoIPTraffic

class class-default

  set cos 6

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 7 mode ciphers aes-ccm

!

encryption vlan 6 mode ciphers tkip

!

encryption vlan 5 mode ciphers aes-ccm

!

encryption vlan 3 mode ciphers tkip

!

encryption vlan 4 mode ciphers aes-ccm

!

ssid Network5

!

ssid Network4

!

ssid VOIP

!

ssid Network6

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio0.4

encapsulation dot1Q 4

no ip route-cache

bridge-group 4

bridge-group 4 subscriber-loop-control

bridge-group 4 block-unknown-source

no bridge-group 4 source-learning

no bridge-group 4 unicast-flooding

bridge-group 4 spanning-disabled

!

interface Dot11Radio0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 6

bridge-group 6 subscriber-loop-control

bridge-group 6 block-unknown-source

no bridge-group 6 source-learning

no bridge-group 6 unicast-flooding

bridge-group 6 spanning-disabled

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

service-policy input VoIPTraffic

service-policy output VoIPTraffic

!

interface Dot11Radio0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

antenna gain 0

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

no bridge-group 7 source-learning

bridge-group 7 spanning-disabled

!

interface GigabitEthernet0.4

encapsulation dot1Q 4

no ip route-cache

bridge-group 4

no bridge-group 4 source-learning

bridge-group 4 spanning-disabled

!

interface GigabitEthernet0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 6

no bridge-group 6 source-learning

bridge-group 6 spanning-disabled

!

interface GigabitEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

service-policy input VoIPTraffic

service-policy output VoIPTraffic

!

interface GigabitEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

no bridge-group 5 source-learning

bridge-group 5 spanning-disabled

!

interface BVI1

ip address 10.12.1.109 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.1.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey109

radius-server vsa send accounting

bridge 1 route ip

!

radius-server local

no authentication eapfast

no authentication mac

nas 10.12.1.101 key 0 WDSKey101

nas 10.12.1.102 key 0 WDSKey102

nas 10.12.1.103 key 0 WDSKey103

nas 10.12.1.104 key 0 WDSKey104

nas 10.12.1.105 key 0 WDSKey105

nas 10.12.1.106 key 0 WDSKey106

nas 10.12.1.107 key 0 WDSKey107

nas 10.12.1.108 key 0 WDSKey108

nas 10.12.1.109 key 0 WDSKey109

user wdsuser password wdspassword

radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey109

radius-server attribute 32 include-in-access-req format %h

!

!

wlccp wds priority 254 interface BVI1

wlccp ap username wdsclientap password wdspassword

wlccp authentication-server infrastructure method_infra_devices

wlccp authentication-server client eap method_client_devices

wlccp authentication-server client leap method_client_devices

!

!

!

line con 0

line vty 0 4

!

end

## AP CLIENT CONFIG EXAMPLE ##

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1

!

logging rate-limit console 9

enable secret MyEnableSecret

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius infra_devices

server 10.12.1.109 auth-port 1812 acct-port 1813

!

aaa group server radius client_devices

server 10.12.12.12 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_infra_devices group infra_devices

aaa authentication login method_client_devices group client_devices

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

dot11 vlan-name Network1 vlan 7

dot11 vlan-name Network2 vlan 6

dot11 vlan-name Network3 vlan 5

dot11 vlan-name Network4 vlan 4

dot11 vlan-name VoIP vlan 3

!

dot11 ssid Network1

   vlan 7

   authentication open

   authentication key-management wpa version 2

   guest-mode

   wpa-psk ascii MyWPAGuestKey

!

dot11 ssid Network2

   vlan 6

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

!

dot11 ssid VOIP

   vlan 3

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

!

dot11 ssid Network4

   vlan 4

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa version 2

!

eap profile TLS

method tls

!

eap profile FAST

method fast

!

!

!

username Me privilege 15 password 0 MySpecialPassword

!

!

!

policy-map VoIPTraffic

class class-default

  set cos 6

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 7 mode ciphers aes-ccm

!

encryption vlan 6 mode ciphers tkip

!

encryption vlan 5 mode ciphers aes-ccm

!

encryption vlan 3 mode ciphers tkip

!

encryption vlan 4 mode ciphers aes-ccm

!

ssid Network5

!

ssid Network4

!

ssid VOIP

!

ssid Network6

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio0.4

encapsulation dot1Q 4

no ip route-cache

bridge-group 4

bridge-group 4 subscriber-loop-control

bridge-group 4 block-unknown-source

no bridge-group 4 source-learning

no bridge-group 4 unicast-flooding

bridge-group 4 spanning-disabled

!

interface Dot11Radio0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 6

bridge-group 6 subscriber-loop-control

bridge-group 6 block-unknown-source

no bridge-group 6 source-learning

no bridge-group 6 unicast-flooding

bridge-group 6 spanning-disabled

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

service-policy input VoIPTraffic

service-policy output VoIPTraffic

!

interface Dot11Radio0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

antenna gain 0

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

no bridge-group 7 source-learning

bridge-group 7 spanning-disabled

!

interface GigabitEthernet0.4

encapsulation dot1Q 4

no ip route-cache

bridge-group 4

no bridge-group 4 source-learning

bridge-group 4 spanning-disabled

!

interface GigabitEthernet0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 6

no bridge-group 6 source-learning

bridge-group 6 spanning-disabled

!

interface GigabitEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

service-policy input VoIPTraffic

service-policy output VoIPTraffic

!

interface GigabitEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

no bridge-group 5 source-learning

bridge-group 5 spanning-disabled

!

interface BVI1

ip address 10.12.1.108 255.255.255.0

no ip route-cache

!

ip default-gateway 10.12.1.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey108

radius-server vsa send accounting

bridge 1 route ip

!

radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey108

radius-server attribute 32 include-in-access-req format %h

!

!

wlccp ap username wdsuser password wdspassword

!

!

!

line con 0

line vty 0 4

!

end

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to BJCiscoUser

‎10-25-2012 06:42 AM

On which WLAN is the fast roaming not working?  If it's the Voice, what model of phone and firmware are you running? FYI 7921/25/26 should be 1.4(3).

if you do a show wds ap on the master, do you see all the AP registered?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
BJCiscoUser
Level 1
Level 1
In response to Stephen Rodriguez

‎10-25-2012 07:12 AM

Hi,

The fast roaming is not working on the VOIP WLAN. We are not testing with a phone, but with a Lenovo laptop (softphone), running CCXv4 and configured with (Intel PROSet) WPA - Enterprise, TKIP, TSL with User certificate.

If we run the cmd: show wlccp wds ap, all AP shows up as registered.
If we run the cmd: whow wlccp wds mn detail, the client (associated to another AP) shows up with the following details:


BSS: c8f9.f9a6.f270, SSID: VOIP
Vlan Assigned by AAA: 3

Ntwrk-ID:   -
Key Mgmt: CCKM,  Authentication: EAP
Posture Token:
Up-time: 00:33:36, Lifetime: 127

We have this in the WDS master config, is this ok?

radius-server local
  no authentication eapfast
  no authentication leap
  no authentication mac

radius-server local
  no authentication eapfast
  no authentication leap
  no authentication mac

radius-server local
  no authentication eapfast
  no authentication leap
  no authentication mac

radius-server local
  no authentication eapfast
  no authentication leap
  no authentication mac

Thanks for your help.

0 Helpful

Go to solution
BJCiscoUser
Level 1
Level 1
In response to BJCiscoUser

‎10-25-2012 09:08 AM

Hi Steve,

As an update to my own post, I remember having read somewhere that if we implement CCKM, having the AAA server handing out the vlan id is not allowed/supported, so I disabled that option. That seems to have made things better...

Anyway, we are not completely satisfied with our testing. Is there a command we can run to see if CCKM is working? I remember having read about a command showing the CCKM id assigned to the client?? But I do not remember the exact syntax.

Thanks once again for your time.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to BJCiscoUser

‎10-25-2012 09:31 AM

Check the ~mn command

Command

Description

show wlccp ap

Use this command on access points participating in CCKM to display the WDS device's MAC address, the WDS device's IP address, the access point's state (authenticating, authenticated, or registered), the IP address of the infrastructure authenticator, and the IP address of the client device (MN) authenticator.

show wlccp wds { ap |mn }
[ detail ] [mac-addrmac-address ]

On the WDS device only, use this command to display cached information about access points and client devices.

ap—Use this option to display access points participating in CCKM. The command displays each access point's MAC address, IP address, state (authenticating, authenticated, or registered), and lifetime (seconds remaining before the access point must reauthenticate). Use the mac-addr option to display information about a specific access point.

mn—Use this option to display cached information about client devices, also called mobile nodes. The command displays each client's MAC address, IP address, the access point to which the client is associated (cur-AP), and state (authenticating, authenticated, or registered). Use the detail option to display the client's lifetime (seconds remaining before the client must reauthenticate), SSID, and VLAN ID. Use the mac-addr option to display information about a specific client device.

If you only enter show wlccp wds, the command displays the access point's IP address, MAC address, priority, and interface state (administratively standalone, active, backup, candidate, or WDS-only).

If the state is backup, the command also displays the current WDS device's IP address, MAC address, and priority.

If the state is WDS-only, the command displays the device's MAC address, IP address, interface state, access point count, and mobile node count.


Using Debug Messages

In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device:

Command

Description

debug wlccp ap
{mn | wds-discovery | state}

Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the WDS device (state).

debug wlccp dump

Use this command to perform a dump of WLCCP packets received and sent in binary format.

debug wlccp packet

Use this command to turn on display of packets to and from the WDS device.

debug wlccp wds [aggregator | authenticator |nm | state | statistics]

Use this command and its options to turn on display of WDS debug messages. Use the statistics option to turn on display of failure statistics.

debug wlccp wds authenticator {all | dispatcher |mac-authen | process | rxdata | state-machine |txdata}

Use this command and its options to turn on display of WDS debug messages related to authentication.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to BJCiscoUser

‎10-25-2012 09:33 AM

you should be able to do a show dot11 association < mac address > and see what the keying is.  or the show wlccp wds mn detail shows that the client is CCKM

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card