Does 7921 support WPA2+AES+PKC?

Answered Question
Apr 19th, 2009

Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.

Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?

VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

I have this problem too.
0 votes
Correct Answer by migilles about 7 years 7 months ago

The 7921/7925 gives precedence to the strongest key-management then cipher, so if you have WPA2+AES enabled, then will not use CCKM as that combo is not supported as mentioned in the previous post. We do send the key info but only after successfully associated to an AP previously. This implementation is more inline with OKC vs PKC, which is not supported on the WLC.

So currently there is no supported fast roaming mechanism with WPA2 using the WLAN controller and the 7921/7925.

If you like you can bring this topic up to your local Cisco account team to discuss further.

Thanks!

Correct Answer by migilles about 7 years 7 months ago

No PKC is not supported. The only fast roaming method supported today is CCKM, which is with WPA(TKIP) or 802.1x(WEP). WPA2+CCKM is being investigated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
migilles Sun, 04/19/2009 - 13:15

No PKC is not supported. The only fast roaming method supported today is CCKM, which is with WPA(TKIP) or 802.1x(WEP). WPA2+CCKM is being investigated.

Roman Rodichev Mon, 04/20/2009 - 00:32

I just tested it out of curiousity, and it behaves like you said, I hear gaps when roaming with WPA2 and no gaps when roaming with WPA.

I also noticed that in the "show pmk-cache all" output using WPA2 policy, the 7921G phone shows us with "RSN", the other two are CB21 cards show up with "CCKM". I find that strange, I was actually expecting to see the phone with "CCKM", since it doesn't support PKC, and CB21s with "RSN", which I thought would support PKC.

(Cisco Controller) >show pmk-cache all

PMK-CCKM Cache

Entry

Type Station Lifetime VLAN Override IP Override

------ -------------- -------- ------------------ ---------------

RSN 00:1e:4a:3e:e3:61 1475 0.0.0.0

CCKM 00:40:96:a6:ed:e4 1475 0.0.0.0

CCKM 00:40:96:b0:06:98 1750 0.0.0.0

Is my logic out of wack?

Correct Answer
migilles Tue, 04/21/2009 - 12:43

The 7921/7925 gives precedence to the strongest key-management then cipher, so if you have WPA2+AES enabled, then will not use CCKM as that combo is not supported as mentioned in the previous post. We do send the key info but only after successfully associated to an AP previously. This implementation is more inline with OKC vs PKC, which is not supported on the WLC.

So currently there is no supported fast roaming mechanism with WPA2 using the WLAN controller and the 7921/7925.

If you like you can bring this topic up to your local Cisco account team to discuss further.

Thanks!

kfarrington Fri, 06/05/2009 - 07:03

Hi Michael,

Please can I ask. You state the following : That there is no fast roaming for WPA2.

I need to get this straight in my Head.

WPA+TKIP+CCKM

WPA is just a standards name

TKIP=is Key Managment and encyption

CCKM=Fast roaming capability

WPA2+TKIP+CCKM

WPA2 is just a standards name

TKIP=is Key Managment and encyption

CCKM=Fast roaming capability

Why cant you use CCKM with WPA2? I thought with WPA2 you had the choise to use either PKC or CCKM?

Is that incorrect?

Many thx indeed,

Ken

kfarrington Fri, 06/05/2009 - 07:29

Also mate,

Can I just confirm this really important point (some people may think im bonkers)!

WPA and WPA2

These are just names for a collection of protocols. Ie a Framework including, 802.1x, eap, psk, tkip, aes, pkc, cckm, etc etc

WPA and WPA2 does not actually do anything. Correct?

Many thx indeed, This is really important for me :)

Many thx

Ken

Am I correct?

migilles Fri, 06/05/2009 - 15:09

WPA and WPA2 are the key management schemes and standards from the WiFi Alliance.

There are enterprise and personal versions, where enterprise requires 802.1x and personal uses a pre-shared key.

Currently CCKM is only supported with WPA + TKIP.

PKC is not the long-term vision for fast roaming and not supported by 792x clients.

kfarrington Mon, 06/08/2009 - 01:01

OK, very sorry about this mate.

You say that WPA and WPA2 are the key managment schemes.

Would you mind letting me know what the difference is?

Is it that WPA2 uses RSN to exchange keys and WPA does not. If so, What does WPA use?

The way I always understood it is that EAP (well EAPOL) the 4 way handshake is the key managment scheme, and this is the same in WPA and WPA2, then if a client roams, CCKM could be used for "roaming" key managment (Cisco proprietry) for WPA, as there is no standards based roaming key managment in WPA, and PKC for "roaming" key managment for WPA2?

Also, why is CCKM not supported on WPA2 if Cisco thinks thta CCKM is way forward?

Im sorry, I am a little confused about this?

Many thx

Ken

kfarrington Mon, 06/08/2009 - 06:32

Michael, and all,

Please could you review this spreadsheet for me. I pull most of this from a Cisco press book, but this have added the roaming column and put some notes in there.

Please can you confirm the following SS is correct and these two notes.

* NOTE: Authentication Method and Key Management mean the same thing (pls see ps comment below)

** NOTE: Roaming Key Management is separate from First time Key management

Many thx indeed. It can just be so confusing and want to tie this up once and for all :)

ps. Should I split Authentication and Key management into two seperate columns, ie, would this be correct. Authentication is 802.1x and eap is the key management?

Many thx

Ken

migilles Sun, 06/21/2009 - 10:05

There are supplicant changes needed to support WPA2+CCKM, which is why it's not supported today.

For your spreadsheet, it looks good for the most part except no fast roaming with WPA-PSK, so remove CCKM.

Also add CCKM for WPA2.

You can also do WPA(AES) and WPA2(TKIP), although they are not recommended or common configurations as it is typically WPA(TKIP) and WPA2(AES).

No fast roaming support when using WPA2 and the 792xG.

kfarrington Mon, 06/22/2009 - 03:20

Many thx for the info mate.

Im a little confused though, you say that WPA2+CCKM is not supported, but then say add CCKM for WPA2?

Sorry about this, just a little confused?

Kind regards,

Ken

migilles Sun, 06/28/2009 - 23:24

Ok, if your doc is 792xG specific, then drop CCKM for WPA2. I thought this doc was not 792xG specific and was listing possibilities. WPA2 + CCKM is a CCX v5 feature, which the 792xG does not support.

If you enable WPA2, then there will be no fast roaming used when the 792xG roams from AP to AP and will hit the RADIUS server for each roam.

kfarrington Mon, 06/29/2009 - 22:49

Hi Michael,

Once again, many thx for all you help to-date. It has been invaluable!!

Yes I found this out to my cost.

Now. Here are a couple of points.

The VoWLAN design guides and 792xG deployment guides list everything in them. PKC, CCKM, WPA, WPA2, TKIP, AES, bla bla bla.

On the 792x Deployment guides. Why cant they have a statement saying "The 802.11i RSN framework", ie WPA2 "in full" is not supported on our phones.

I raised this with AS as I was mightly disapointed. Im over it now. Had BEER :)

So, does anyone know when the phones will be fully compiant with the 802.11i standard?

Also, when speaking to TAC, there was a misconception that if you run WPA2, you must run AES, but 802.11i states you can run TKIP and we do.

***** The 802.11i IEEE document is a must read for anyone. *****

Also, on another point, would you know of a vendor phone that has the following capabilities and runs with the CUWN.

1. A Radio

2. 802.11i compliant

3. can run skinny client

Once again, many thank for the great help :)

Kind regards,

Ken

migilles Mon, 06/29/2009 - 23:39

Ok first off the 7921G and 7925G are WPA/WPA2 certified.

7921G

http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040

7925G

http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945

The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.

As for the 792xG Deployment Guides, I am the one that wrote those docs. :)

There is a statement there in regards to WPA2+CCKM on page 10.

Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.

But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf

Cisco Centralized Key Management (CCKM)

When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during

roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of

key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.

TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

kfarrington Tue, 06/30/2009 - 00:16

Hi Michael,

Opps. I just fell off my chair. I did not mean to disrespect any of the good work you have done. But my thoughts on this is that the phone and call quality is the most critical thing and the docs "I think" should make that a little clearer.

The statement above, and please take this as constructive, indicates the following :

Also, WPA introduces additional transient keys and can lengthen roaming time - this could say that WPA is worse than WPA2, which we know is not the case, one is just ieee ratified and one is not - A tad confusing.

TKIP encryption is recommended when using CCKM - there is no indication here that CCKM is not supported under WPA2 as you can use TKIP with WPA2 (Optional) in 802.11i.

CCKM does not support AES currently. - Please correct me if I am wrong here, but is it not WPA does not support AES and WPA2 does, and CCKM has not been ported to WPA2 as yet?

Im sorry if I have this wrong, but WPA/WPA2 is the framework. AES/TKIP the encryption, and PKC/CCKM the fast roam capabilities. So the way I look at it, is that PKC and CCKM are only parts of the framework, but the AES and TKIP covers the whole framework, so it would be correct to say WPA/WPA2 support for encrytion, and not PKC/CCKM support for encryption.

Please can you respond back to tell me I am wrong or have misunderstood.

Many thx fella,

Ken

migilles Tue, 06/30/2009 - 09:10

792xG is not going to support PKC.

CCKM is the goal for WPA2(AES).

Currently the 792xG only supports WPA+TKIP+CCKM.

Well, it also supports 802.1x+WEP+CCKM, but that combo is not supported on the Cisco WLAN Controller.

CCKM is not supported with WPA+AES, WPA2+TKIP, WPA2+AES on the 792xG.

I am updating the guides now, so point taken and will try to clear that up.

Cheers!

kfarrington Wed, 07/01/2009 - 01:48

Hi Michael, Thx mate, and hope you did not get too miffed at my comments. Without the guides, we would no nothing :) So top job mate!!

Actions

This Discussion