Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1044
Views
4
Helpful
5
Replies

What do I need in order to implement WPA2+CCKM?

Go to solution
istvan.kelemen1
Level 1
Level 1

‎08-02-2015 01:22 PM - edited ‎07-05-2021 03:40 AM

Hello,

 

There are few things I don't understand...

When WPA2+dot1x is in place, I do need an AAA server to authenticate the supplicant using username and password.

But how is the story when WPA2+CCKM is in place? What application will be responsible to hold the centralized key?

How does it work?

 

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ali aqrabawi
Level 3
Level 3

‎08-03-2015 12:23 PM

you can have WPA2 + 802.1x or WPA2+802.1x+CCKM ,

 

 

here are the explanation of each :

 

WPA2 : is a key management algorithm , of how the AP and the client will generate the transiting keys (PTK and GTK ) , which will be generating by 4 way handshake between supplicant and AP through EAPoL protocol, the client PMK is generated by the radius server and it will be stored on the AP and on the WLC (if OKC is enabled) , so when the client roam it will not need to re-authenticate aginst radius server , it just do the 4wayhandshak which may take less than 100 millisec.

 

802.1x : authentication protocol used to authenticate EAP clients by radius server ,

 

CCKM : is a Cisco Key management protocol which  the client keys (PTK,GTK) will be cached centrally on the WLC, so the client  will not need to do the 4way handshak (WPA2) every time it roam , 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎08-03-2015 02:55 AM

The WDS (which can be run as a service on a Cisco Access Point or on various router modules) caches the user credentials after the initial log-on. The user must authenticate with the Radius server the first time - then he can roam between access points using cached credentials.

https://supportforums.cisco.com/document/11086/what-cckm-and-how-does-it-affect-fast-and-secure-roaming

Go to solution
ali aqrabawi
Level 3
Level 3

‎08-03-2015 12:23 PM

you can have WPA2 + 802.1x or WPA2+802.1x+CCKM ,

 

 

here are the explanation of each :

 

WPA2 : is a key management algorithm , of how the AP and the client will generate the transiting keys (PTK and GTK ) , which will be generating by 4 way handshake between supplicant and AP through EAPoL protocol, the client PMK is generated by the radius server and it will be stored on the AP and on the WLC (if OKC is enabled) , so when the client roam it will not need to re-authenticate aginst radius server , it just do the 4wayhandshak which may take less than 100 millisec.

 

802.1x : authentication protocol used to authenticate EAP clients by radius server ,

 

CCKM : is a Cisco Key management protocol which  the client keys (PTK,GTK) will be cached centrally on the WLC, so the client  will not need to do the 4way handshak (WPA2) every time it roam , 

 

0 Helpful

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to ali aqrabawi

‎08-03-2015 12:46 PM

So I do have to use CCKM+802.x in conjunction to enjoy the benefit of CCKM, right?

0 Helpful

Go to solution
ali aqrabawi
Level 3
Level 3
In response to istvan.kelemen1

‎08-03-2015 12:46 PM

correct

0 Helpful

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to ali aqrabawi

‎08-03-2015 12:49 PM

Or it is not..? Since I can select CCKM with WPA2 only.

wlc4404 code 7.0.252.0

or even on wlc 2504 7.4.130

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card