Re: CCKM

claeysg · ‎05-03-2007

Hello,

I want to implement fast secure roaming (Cisco CCKM) in order to reduce the re-authentication time when roaming from one AP to another.

I have tried different configurations with different clients but it's not working.

Has anyone already implemented this ?

I have a WLC running the latest version (4.1).

My SSID is configured for WPA1/WPA2 with 802.1x + CCKM. As EAP type, I have tested P-EAP MSCHAPv2 and EAP-TLS.

The client tested is a Dell Laptop with the Intel Pro 3945a/b/g wireless card (latest release, CCXv4 compatible).

Any idea why it is not working ?

You will find in attach:

- screenshot from WCS

- screenshot from log analysis during roaming.

- screenshot of SSID layer 2 security configuration

Thanks for your help

ankbhasi · ‎05-03-2007

Hi Friend,

Are you roaming betwen APs on same controller? Also can you confirm if your SSID is mapped to dynamic interface on controller or management interface?

Regards,

Ankur

claeysg · ‎05-09-2007

Hello,

Yes, the APs are on the same controller (there is only one controller in my setup).

The SSID is mapped to a dynamic interface, not the management.

Rdgs,

Gaetan

ankbhasi · ‎05-09-2007

Hi Gaetan,

There are some known issues with CCKM.

There is a bug "CSCsg69021" which is release noted also. The bug says "Fast roaming with WPA2+CCKM on dynamic interfaces may not operate properly"

Have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/c41170rn.htm

and you can search for CCKM for known issues in the latest release.

HTH

Ankur

*Pls rate all helpfull post

claeysg · ‎05-09-2007

Thanks,

If you look at the client details, I'm using WPA1 not WPA2. However, AES is used.

I have also done some test with 802.1x only (no WPA) and CCKM still does not work.

Do you have a list of the configuration working ?

Tx,

Gaetan

Rgds,

Gaetan

claeysg · ‎05-09-2007

Hello,

The bug you mentioned is resolved

-----------------------------------------------------------

CSCsg69021 [QDDTS] [CCO]

Internally found moderate (Sev3) bug: Resolved (R) In BE-MR2, fast roaming for WPA2+CCKM on dynamic interface does not work

Integrated in 004.000(206.000) 004.001(171.000)

Verified Release 004.000(199.000)

ankbhasi · ‎05-09-2007

Hi Friend,

My mistake this bug is under resolved caveats in release note.

Can you give a try with configuring WPA + TKIP + authentication key management CCKM.

Also on controller just uncheck WPA2 and leave WPA 1 as checked.

Regards,

Ankur

claeysg · ‎05-10-2007

Hello,

I've tried this but now my client cannot authenticate anymore.

802.1x seems to be a mandatory option.

Any idea ?

Rgds

wackerk24 · ‎05-24-2007

We had the same issue with CCKM and the intel cards. Per Cisco the recommendation was to disable CCKM if using intel cards and this resolved our issues. Our clients were disconnected 10-12 times per 8 hour shift. In our environment CCKM wasn't needed for fast roaming which I was suprised by but my testing confirmed this.

wififofum · ‎05-27-2007

Hey,

What version of the Intel PROSet utility are you using? What's the OS platform?

Has this problem manifested itself in client data rates progressively dropping until they are disconnected?

Thanks,

We are (still) having this issue running 11.x of PROSet under Win2k. This version fixed the issue under XP.