10-24-2012 01:10 AM - edited 07-03-2021 10:54 PM
Hi,
We are rolling out 20+ APs (1042N-E-K9) and one of the VLANs is used for VoIP. We would like to enable CCKM, but are a little unsure of how to go about it after reading through many of all the documentation. We have successfully enabled one AP to serve as a WDS master, and APs shows up as registered. Below are some of our questions
1. On the AP, what should be the settings for the SSID on which we want to enable CCKM?
a. What Encryption Modes are allowed - can we use TKIP or AES-CCMP, or are we obliged to use CKIP-CMIC?
b. For the SSID, can we enable both CCKM and WPA? And is CCKM with WPA2 supported (chipper AES-CCMP)
c. For AP Authentication, what Method should we chose? TSL, FAST, or is any of them allowed?
2. On the client machines (we are testing with a Lenovo laptop, ccx c4, and Intel pro-tools):
a. We understand that we can choose EAP-TSL for the clients and that should be ok, is that correct?
b. Do we need to use EAP-FAST or LEAP? And if that is the case, then it seems that MS NPS server as RADIUS is not supported…
We would very much appreciate any help with the above questions, as mentioned we read through the various documentation, but we are still unclear on the above mentioned points.
Greetings!
Erik-Benjamin Povlsen
Solved! Go to Solution.
10-24-2012 06:49 AM
Erik, welcome to support forums!
1.) For CCKM and CCXv4 you should use WPA/TKIP/CCKM. CCXv5 supports WPA2/AES/CCKM.
2.)TLS or PEAP will work fine. You do not have to do FAST or LEAP. IMHO LEAP needs to go the way of WEP and the dodo.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-24-2012 06:49 AM
Erik, welcome to support forums!
1.) For CCKM and CCXv4 you should use WPA/TKIP/CCKM. CCXv5 supports WPA2/AES/CCKM.
2.)TLS or PEAP will work fine. You do not have to do FAST or LEAP. IMHO LEAP needs to go the way of WEP and the dodo.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-24-2012 07:16 AM
Hi Stephen,
Thank you for taking time to answer our questions!
So just to be sure of our setup then, using CCXv4, something like this will be ok?..:
dot11 ssid VOIP
vlan 5
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
dot1x eap profile TLS
mobility network-id 5
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 5 mode ciphers tkip
And then for the client setup just simple EAP-TSL - with certificates...
Thanks again for helping us out!
Erik-Benjamin Povlsen
10-24-2012 07:25 AM
dot1x eap profile TLS
mobility network-id 5
the above is not needed. that dot1x profile is for if you were using the radio as a bridge and wanted to do 802.1x. WDS goes out over the ethernet to find the 'master' and register/join there for key management.
the mobility network-id command is for WLSM.
but other than those two things that should be removed, the rest of the config looks fine. Just make sure you define the subinterfaces on the radio and fastethernet interfaces.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-24-2012 07:33 AM
Thank you very much, this solved our issues.
Very nice support!
Erik-Benjamin Povlsen
10-25-2012 01:59 AM
Hi again Steve,
Yesterday we tried the new configuration per your suggestions. But the fast roaming (CCKM) is not working.
We are not exactly sure of what we have wrong in our configuration.
I drop in here two configuration examples, one for our WDS master, and one for a client AP - all test configurations. We would appreciate if you would have an idea of what we have wrong here. Thanks in advance!
## AP-WDS MASTER CONFIG ##
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP2
!
logging rate-limit console 9
enable secret MyEnableSecret
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius infra_devices
server 10.12.1.109 auth-port 1812 acct-port 1813
!
aaa group server radius client_devices
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_infra_devices group infra_devices
aaa authentication login method_client_devices group client_devices
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name Network1 vlan 7
dot11 vlan-name Network2 vlan 6
dot11 vlan-name Network3 vlan 5
dot11 vlan-name Network4 vlan 4
dot11 vlan-name VoIP vlan 3
!
dot11 ssid Network1
vlan 7
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii MyWPAGuestKey
!
dot11 ssid Network2
vlan 6
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
!
dot11 ssid VOIP
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
!
dot11 ssid Network4
vlan 4
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
!
eap profile TLS
method tls
!
eap profile FAST
method fast
!
!
!
username Me privilege 15 password 0 MySpecialPassword
!
!
!
policy-map VoIPTraffic
class class-default
set cos 6
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 7 mode ciphers aes-ccm
!
encryption vlan 6 mode ciphers tkip
!
encryption vlan 5 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers tkip
!
encryption vlan 4 mode ciphers aes-ccm
!
ssid Network5
!
ssid Network4
!
ssid VOIP
!
ssid Network6
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
bridge-group 7 subscriber-loop-control
bridge-group 7 block-unknown-source
no bridge-group 7 source-learning
no bridge-group 7 unicast-flooding
bridge-group 7 spanning-disabled
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
bridge-group 4 spanning-disabled
!
interface Dot11Radio0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 6
bridge-group 6 subscriber-loop-control
bridge-group 6 block-unknown-source
no bridge-group 6 source-learning
no bridge-group 6 unicast-flooding
bridge-group 6 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
service-policy input VoIPTraffic
service-policy output VoIPTraffic
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
bridge-group 7 subscriber-loop-control
bridge-group 7 block-unknown-source
no bridge-group 7 source-learning
no bridge-group 7 unicast-flooding
bridge-group 7 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
no bridge-group 7 source-learning
bridge-group 7 spanning-disabled
!
interface GigabitEthernet0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
no bridge-group 4 source-learning
bridge-group 4 spanning-disabled
!
interface GigabitEthernet0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 6
no bridge-group 6 source-learning
bridge-group 6 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
service-policy input VoIPTraffic
service-policy output VoIPTraffic
!
interface GigabitEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
!
interface BVI1
ip address 10.12.1.109 255.255.255.0
no ip route-cache
!
ip default-gateway 10.12.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey109
radius-server vsa send accounting
bridge 1 route ip
!
radius-server local
no authentication eapfast
no authentication mac
nas 10.12.1.101 key 0 WDSKey101
nas 10.12.1.102 key 0 WDSKey102
nas 10.12.1.103 key 0 WDSKey103
nas 10.12.1.104 key 0 WDSKey104
nas 10.12.1.105 key 0 WDSKey105
nas 10.12.1.106 key 0 WDSKey106
nas 10.12.1.107 key 0 WDSKey107
nas 10.12.1.108 key 0 WDSKey108
nas 10.12.1.109 key 0 WDSKey109
user wdsuser password wdspassword
radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey109
radius-server attribute 32 include-in-access-req format %h
!
!
wlccp wds priority 254 interface BVI1
wlccp ap username wdsclientap password wdspassword
wlccp authentication-server infrastructure method_infra_devices
wlccp authentication-server client eap method_client_devices
wlccp authentication-server client leap method_client_devices
!
!
!
line con 0
line vty 0 4
!
end
## AP CLIENT CONFIG EXAMPLE ##
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging rate-limit console 9
enable secret MyEnableSecret
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius infra_devices
server 10.12.1.109 auth-port 1812 acct-port 1813
!
aaa group server radius client_devices
server 10.12.12.12 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_infra_devices group infra_devices
aaa authentication login method_client_devices group client_devices
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name Network1 vlan 7
dot11 vlan-name Network2 vlan 6
dot11 vlan-name Network3 vlan 5
dot11 vlan-name Network4 vlan 4
dot11 vlan-name VoIP vlan 3
!
dot11 ssid Network1
vlan 7
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii MyWPAGuestKey
!
dot11 ssid Network2
vlan 6
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
!
dot11 ssid VOIP
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
!
dot11 ssid Network4
vlan 4
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
!
eap profile TLS
method tls
!
eap profile FAST
method fast
!
!
!
username Me privilege 15 password 0 MySpecialPassword
!
!
!
policy-map VoIPTraffic
class class-default
set cos 6
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 7 mode ciphers aes-ccm
!
encryption vlan 6 mode ciphers tkip
!
encryption vlan 5 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers tkip
!
encryption vlan 4 mode ciphers aes-ccm
!
ssid Network5
!
ssid Network4
!
ssid VOIP
!
ssid Network6
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
bridge-group 7 subscriber-loop-control
bridge-group 7 block-unknown-source
no bridge-group 7 source-learning
no bridge-group 7 unicast-flooding
bridge-group 7 spanning-disabled
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
bridge-group 4 spanning-disabled
!
interface Dot11Radio0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 6
bridge-group 6 subscriber-loop-control
bridge-group 6 block-unknown-source
no bridge-group 6 source-learning
no bridge-group 6 unicast-flooding
bridge-group 6 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
service-policy input VoIPTraffic
service-policy output VoIPTraffic
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
bridge-group 7 subscriber-loop-control
bridge-group 7 block-unknown-source
no bridge-group 7 source-learning
no bridge-group 7 unicast-flooding
bridge-group 7 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.7
encapsulation dot1Q 7
no ip route-cache
bridge-group 7
no bridge-group 7 source-learning
bridge-group 7 spanning-disabled
!
interface GigabitEthernet0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
no bridge-group 4 source-learning
bridge-group 4 spanning-disabled
!
interface GigabitEthernet0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 6
no bridge-group 6 source-learning
bridge-group 6 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
service-policy input VoIPTraffic
service-policy output VoIPTraffic
!
interface GigabitEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
!
interface BVI1
ip address 10.12.1.108 255.255.255.0
no ip route-cache
!
ip default-gateway 10.12.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey108
radius-server vsa send accounting
bridge 1 route ip
!
radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey108
radius-server attribute 32 include-in-access-req format %h
!
!
wlccp ap username wdsuser password wdspassword
!
!
!
line con 0
line vty 0 4
!
end
10-25-2012 06:42 AM
On which WLAN is the fast roaming not working? If it's the Voice, what model of phone and firmware are you running? FYI 7921/25/26 should be 1.4(3).
if you do a show wds ap on the master, do you see all the AP registered?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-25-2012 07:12 AM
Hi,
The fast roaming is not working on the VOIP WLAN. We are not testing with a phone, but with a Lenovo laptop (softphone), running CCXv4 and configured with (Intel PROSet) WPA - Enterprise, TKIP, TSL with User certificate.
If we run the cmd: show wlccp wds ap, all AP shows up as registered.
If we run the cmd: whow wlccp wds mn detail, the client (associated to another AP) shows up with the following details:
BSS: c8f9.f9a6.f270, SSID: VOIP
Vlan Assigned by AAA: 3
Ntwrk-ID: -
Key Mgmt: CCKM, Authentication: EAP
Posture Token:
Up-time: 00:33:36, Lifetime: 127
We have this in the WDS master config, is this ok?
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
Thanks for your help.
10-25-2012 09:08 AM
Hi Steve,
As an update to my own post, I remember having read somewhere that if we implement CCKM, having the AAA server handing out the vlan id is not allowed/supported, so I disabled that option. That seems to have made things better...
Anyway, we are not completely satisfied with our testing. Is there a command we can run to see if CCKM is working? I remember having read about a command showing the CCKM id assigned to the client?? But I do not remember the exact syntax.
Thanks once again for your time.
10-25-2012 09:31 AM
Check the ~mn command
In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device:
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
10-25-2012 09:33 AM
you should be able to do a show dot11 association < mac address > and see what the keying is. or the show wlccp wds mn detail shows that the client is CCKM
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide