I just tested it out of curiousity, and it behaves like you said, I hear gaps when roaming with WPA2 and no gaps when roaming with WPA.

I also noticed that in the "show pmk-cache all" output using WPA2 policy, the 7921G phone shows us with "RSN", the other two are CB21 cards show up with "CCKM". I find that strange, I was actually expecting to see the phone with "CCKM", since it doesn't support PKC, and CB21s with "RSN", which I thought would support PKC.

(Cisco Controller) >show pmk-cache all

PMK-CCKM Cache

Entry

Type Station Lifetime VLAN Override IP Override

------ -------------- -------- ------------------ ---------------

RSN 00:1e:4a:3e:e3:61 1475 0.0.0.0

CCKM 00:40:96:a6:ed:e4 1475 0.0.0.0

CCKM 00:40:96:b0:06:98 1750 0.0.0.0

Is my logic out of wack?

Hi Michael,

Please can I ask. You state the following : That there is no fast roaming for WPA2.

I need to get this straight in my Head.

WPA+TKIP+CCKM

WPA is just a standards name

TKIP=is Key Managment and encyption

CCKM=Fast roaming capability

WPA2+TKIP+CCKM

WPA2 is just a standards name

TKIP=is Key Managment and encyption

CCKM=Fast roaming capability

Why cant you use CCKM with WPA2? I thought with WPA2 you had the choise to use either PKC or CCKM?

Is that incorrect?

Many thx indeed,

Ken

Also mate,

Can I just confirm this really important point (some people may think im bonkers)!

WPA and WPA2

These are just names for a collection of protocols. Ie a Framework including, 802.1x, eap, psk, tkip, aes, pkc, cckm, etc etc

WPA and WPA2 does not actually do anything. Correct?

Many thx indeed, This is really important for me :)

Many thx

Ken

Am I correct?

WPA and WPA2 are the key management schemes and standards from the WiFi Alliance.

There are enterprise and personal versions, where enterprise requires 802.1x and personal uses a pre-shared key.

Currently CCKM is only supported with WPA + TKIP.

PKC is not the long-term vision for fast roaming and not supported by 792x clients.

OK, very sorry about this mate.

You say that WPA and WPA2 are the key managment schemes.

Would you mind letting me know what the difference is?

Is it that WPA2 uses RSN to exchange keys and WPA does not. If so, What does WPA use?

The way I always understood it is that EAP (well EAPOL) the 4 way handshake is the key managment scheme, and this is the same in WPA and WPA2, then if a client roams, CCKM could be used for "roaming" key managment (Cisco proprietry) for WPA, as there is no standards based roaming key managment in WPA, and PKC for "roaming" key managment for WPA2?

Also, why is CCKM not supported on WPA2 if Cisco thinks thta CCKM is way forward?

Im sorry, I am a little confused about this?

Many thx

Ken

Michael, and all,

Please could you review this spreadsheet for me. I pull most of this from a Cisco press book, but this have added the roaming column and put some notes in there.

Please can you confirm the following SS is correct and these two notes.

* NOTE: Authentication Method and Key Management mean the same thing (pls see ps comment below)

** NOTE: Roaming Key Management is separate from First time Key management

Many thx indeed. It can just be so confusing and want to tie this up once and for all :)

ps. Should I split Authentication and Key management into two seperate columns, ie, would this be correct. Authentication is 802.1x and eap is the key management?

Many thx

Ken

Sorry, attached file :)

There are supplicant changes needed to support WPA2+CCKM, which is why it's not supported today.

For your spreadsheet, it looks good for the most part except no fast roaming with WPA-PSK, so remove CCKM.

Also add CCKM for WPA2.

You can also do WPA(AES) and WPA2(TKIP), although they are not recommended or common configurations as it is typically WPA(TKIP) and WPA2(AES).

No fast roaming support when using WPA2 and the 792xG.

Many thx for the info mate.

Im a little confused though, you say that WPA2+CCKM is not supported, but then say add CCKM for WPA2?

Sorry about this, just a little confused?

Kind regards,

Ken

Ok, if your doc is 792xG specific, then drop CCKM for WPA2. I thought this doc was not 792xG specific and was listing possibilities. WPA2 + CCKM is a CCX v5 feature, which the 792xG does not support.

If you enable WPA2, then there will be no fast roaming used when the 792xG roams from AP to AP and will hit the RADIUS server for each roam.

Hi Michael,

Once again, many thx for all you help to-date. It has been invaluable!!

Yes I found this out to my cost.

Now. Here are a couple of points.

The VoWLAN design guides and 792xG deployment guides list everything in them. PKC, CCKM, WPA, WPA2, TKIP, AES, bla bla bla.

On the 792x Deployment guides. Why cant they have a statement saying "The 802.11i RSN framework", ie WPA2 "in full" is not supported on our phones.

I raised this with AS as I was mightly disapointed. Im over it now. Had BEER :)

So, does anyone know when the phones will be fully compiant with the 802.11i standard?

Also, when speaking to TAC, there was a misconception that if you run WPA2, you must run AES, but 802.11i states you can run TKIP and we do.

***** The 802.11i IEEE document is a must read for anyone. *****

Also, on another point, would you know of a vendor phone that has the following capabilities and runs with the CUWN.

1. A Radio

2. 802.11i compliant

3. can run skinny client

Once again, many thank for the great help :)

Kind regards,

Ken

Ok first off the 7921G and 7925G are WPA/WPA2 certified.

7921G

http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040

7925G

http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945

The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.

As for the 792xG Deployment Guides, I am the one that wrote those docs. :)

There is a statement there in regards to WPA2+CCKM on page 10.

Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.

But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf

Cisco Centralized Key Management (CCKM)

When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during

roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of

key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.

TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.