08-02-2015 01:22 PM - edited 07-05-2021 03:40 AM
Hello,
There are few things I don't understand...
When WPA2+dot1x is in place, I do need an AAA server to authenticate the supplicant using username and password.
But how is the story when WPA2+CCKM is in place? What application will be responsible to hold the centralized key?
How does it work?
Thank you!
Solved! Go to Solution.
08-03-2015 12:23 PM
you can have WPA2 + 802.1x or WPA2+802.1x+CCKM ,
here are the explanation of each :
WPA2 : is a key management algorithm , of how the AP and the client will generate the transiting keys (PTK and GTK ) , which will be generating by 4 way handshake between supplicant and AP through EAPoL protocol, the client PMK is generated by the radius server and it will be stored on the AP and on the WLC (if OKC is enabled) , so when the client roam it will not need to re-authenticate aginst radius server , it just do the 4wayhandshak which may take less than 100 millisec.
802.1x : authentication protocol used to authenticate EAP clients by radius server ,
CCKM : is a Cisco Key management protocol which the client keys (PTK,GTK) will be cached centrally on the WLC, so the client will not need to do the 4way handshak (WPA2) every time it roam ,
08-03-2015 02:55 AM
The WDS (which can be run as a service on a Cisco Access Point or on various router modules) caches the user credentials after the initial log-on. The user must authenticate with the Radius server the first time - then he can roam between access points using cached credentials.
08-03-2015 12:23 PM
you can have WPA2 + 802.1x or WPA2+802.1x+CCKM ,
here are the explanation of each :
WPA2 : is a key management algorithm , of how the AP and the client will generate the transiting keys (PTK and GTK ) , which will be generating by 4 way handshake between supplicant and AP through EAPoL protocol, the client PMK is generated by the radius server and it will be stored on the AP and on the WLC (if OKC is enabled) , so when the client roam it will not need to re-authenticate aginst radius server , it just do the 4wayhandshak which may take less than 100 millisec.
802.1x : authentication protocol used to authenticate EAP clients by radius server ,
CCKM : is a Cisco Key management protocol which the client keys (PTK,GTK) will be cached centrally on the WLC, so the client will not need to do the 4way handshak (WPA2) every time it roam ,
08-03-2015 12:46 PM
So I do have to use CCKM+802.x in conjunction to enjoy the benefit of CCKM, right?
08-03-2015 12:46 PM
correct
08-03-2015 12:49 PM
Or it is not..? Since I can select CCKM with WPA2 only.
wlc4404 code 7.0.252.0
or even on wlc 2504 7.4.130
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide