10-31-2017 10:09 AM - edited 07-05-2021 07:47 AM
Could anyone confirm whether CCXv4 or below support WPA2/AES?
The link below seems to elude to the fact that only CCXv5 supports this feature
"CCX Version 5 is not widely adopted, so CCKM with WPA2/AES is not supported by many CCX wireless clients (mainly because most of them already support CCKM with WPA/TKIP, which is still very secure)."
However, the following link (pg6) seems to state that WPA2 was supported in CCXv3
https://www.cisco.com/web/partners/downloads/765/ccx/Comp_Ext_Cust_Preso.pdf
10-31-2017 11:41 AM
Hello @John5mith
I think that the confusion is related to Encryption algorithm and Key Cache algorithm.
WPA2/AES as encryption algorithm is widely support and have been around for quite some time. According to the doc, since CCX3.
But, WPA2/AES with CCKM as Key cache mechanism is different. This is related to that situation where WPA2/PSK requires full authentication on the Association and when roaming. This is pretty bad considering that roaming need to be fast mainly for Voice devices. However, WPA2/PSK only support CCKM with device is CCX5, as per the Doc.
In short, without CCX5 devices, theoretically, you need full authentication dont matter you are associating or roaming.
-If I helped you somehow, please, rate it as useful.-
11-06-2017 06:03 AM
Thanks for your response that has made it clearer but I have found the below doc for some Cisco wireless handsets and the document refers to CCXv4 and the use of CCKM with WPA/AES. Any ideas on whether this is referring to something else or whether the documentation is wrong?
11-06-2017 06:27 AM
I wouldn´t say wrong but discrepancy might exist depending on the version or peculiarities.
I could read on this doc:
"CCKM was not supported with WPA2 in release 1.3(3) or earlier. " Page 24
"As of the 1.3(4) release, the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G support CCKM with WPA2 (AES or TKIP), WPA (TKIP or AES) and 802.1x (WEP) authentication, where WPA2 (AES) with CCKM is recommended."
We could suppose then that version 1.3(4) or earlier could be CCX5 as per the previous doc I´ve seen.
But, instead get into a endless discussion, the best thing to do is perform tests. I dont have those phones available but if you do you can try to create and SSID with WPA2/PSK and enable CCKM, then, test roaming and verify how fast it is.
You can enable some debugs on the WLC to validate if Full realthentication is happening or not.
-If I helped you somehow, please, rate it as useful.-
03-11-2018 04:55 PM - edited 03-11-2018 05:11 PM
CCKM is a Cisco-proprietary key management variant of WPA/WPA2. Although Cisco APs advertise both CCKM and WPA/WPA2 capabilities, you can't use CCKM and WPA/WPA2 at the same time for a specific connection between a STA and the Cisco AP. For example, WPA/WPA2 uses a 4-way key handshake (except with 802.11r), and CCKM uses a 2-step handshake during fast-roam events.
Cisco CCXv4 supports CCKM key management with TKIP or AES-CCMP encryption for fast-roaming, using 802.1X authentication. The CCX logo certification tests verify this functionality.
Note that a CCXv4-enabled client also must support regular WPA2 key management with AES-CCMP encryption, although it won't perform CCKM fast-roaming of course.
I believe part of the confusion is because the documentation assumes WPA=TKIP and WPA2=AES. But WPA/WPA2 are key management protocols and TKIP/AES are encryption ciphers. Technically, the only supported settings should be WPA/TKIP and WPA2/AES-CCMP. However, many APs support mixed WPA/WPA2 mode where all key management and encryption combinations are possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide