Unanswered Question
May 9th, 2007


I want to implement fast secure roaming (Cisco CCKM) in order to reduce the re-authentication time when roaming from one AP to another.

I have tried different configurations with different clients but it's not working.

Has anyone already implemented this ?

I have a WLC running the latest version (4.1).

My SSID is configured for WPA1/WPA2 with 802.1x + CCKM. As EAP type, I have tested P-EAP MSCHAPv2 and EAP-TLS.

The client tested is a Dell Laptop with the Intel Pro 3945a/b/g wireless card (latest release, CCXv4 compatible).

Any idea why it is not working ?

You will find in attach:

- screenshot from WCS

- screenshot from log analysis during roaming.

- screenshot of SSID layer 2 security configuration

Thanks for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ankbhasi Thu, 05/03/2007 - 09:43

Hi Friend,

Are you roaming betwen APs on same controller? Also can you confirm if your SSID is mapped to dynamic interface on controller or management interface?



claeysg Wed, 05/09/2007 - 05:50


Yes, the APs are on the same controller (there is only one controller in my setup).

The SSID is mapped to a dynamic interface, not the management.



ankbhasi Wed, 05/09/2007 - 06:04

Hi Gaetan,

There are some known issues with CCKM.

There is a bug "CSCsg69021" which is release noted also. The bug says "Fast roaming with WPA2+CCKM on dynamic interfaces may not operate properly"

Have a look at this link

and you can search for CCKM for known issues in the latest release.



*Pls rate all helpfull post

claeysg Wed, 05/09/2007 - 06:30


If you look at the client details, I'm using WPA1 not WPA2. However, AES is used.

I have also done some test with 802.1x only (no WPA) and CCKM still does not work.

Do you have a list of the configuration working ?





claeysg Wed, 05/09/2007 - 08:17


The bug you mentioned is resolved


CSCsg69021 [QDDTS] [CCO]

Internally found moderate (Sev3) bug: Resolved (R) In BE-MR2, fast roaming for WPA2+CCKM on dynamic interface does not work

Integrated in 004.000(206.000) 004.001(171.000)

Verified Release 004.000(199.000)

ankbhasi Wed, 05/09/2007 - 08:26

Hi Friend,

My mistake this bug is under resolved caveats in release note.

Can you give a try with configuring WPA + TKIP + authentication key management CCKM.

Also on controller just uncheck WPA2 and leave WPA 1 as checked.



claeysg Thu, 05/10/2007 - 03:25


I've tried this but now my client cannot authenticate anymore.

802.1x seems to be a mandatory option.

Any idea ?


wackerk24 Thu, 05/24/2007 - 07:34

We had the same issue with CCKM and the intel cards. Per Cisco the recommendation was to disable CCKM if using intel cards and this resolved our issues. Our clients were disconnected 10-12 times per 8 hour shift. In our environment CCKM wasn't needed for fast roaming which I was suprised by but my testing confirmed this.


This Discussion



Trending Topics - Security & Network