04-19-2009 11:02 AM - edited 07-03-2021 05:27 PM
Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?
Solved! Go to Solution.
04-19-2009 01:15 PM
No PKC is not supported. The only fast roaming method supported today is CCKM, which is with WPA(TKIP) or 802.1x(WEP). WPA2+CCKM is being investigated.
04-21-2009 12:43 PM
The 7921/7925 gives precedence to the strongest key-management then cipher, so if you have WPA2+AES enabled, then will not use CCKM as that combo is not supported as mentioned in the previous post. We do send the key info but only after successfully associated to an AP previously. This implementation is more inline with OKC vs PKC, which is not supported on the WLC.
So currently there is no supported fast roaming mechanism with WPA2 using the WLAN controller and the 7921/7925.
If you like you can bring this topic up to your local Cisco account team to discuss further.
Thanks!
04-19-2009 01:15 PM
No PKC is not supported. The only fast roaming method supported today is CCKM, which is with WPA(TKIP) or 802.1x(WEP). WPA2+CCKM is being investigated.
04-20-2009 12:32 AM
I just tested it out of curiousity, and it behaves like you said, I hear gaps when roaming with WPA2 and no gaps when roaming with WPA.
I also noticed that in the "show pmk-cache all" output using WPA2 policy, the 7921G phone shows us with "RSN", the other two are CB21 cards show up with "CCKM". I find that strange, I was actually expecting to see the phone with "CCKM", since it doesn't support PKC, and CB21s with "RSN", which I thought would support PKC.
(Cisco Controller) >show pmk-cache all
PMK-CCKM Cache
Entry
Type Station Lifetime VLAN Override IP Override
------ -------------- -------- ------------------ ---------------
RSN 00:1e:4a:3e:e3:61 1475 0.0.0.0
CCKM 00:40:96:a6:ed:e4 1475 0.0.0.0
CCKM 00:40:96:b0:06:98 1750 0.0.0.0
Is my logic out of wack?
04-21-2009 12:43 PM
The 7921/7925 gives precedence to the strongest key-management then cipher, so if you have WPA2+AES enabled, then will not use CCKM as that combo is not supported as mentioned in the previous post. We do send the key info but only after successfully associated to an AP previously. This implementation is more inline with OKC vs PKC, which is not supported on the WLC.
So currently there is no supported fast roaming mechanism with WPA2 using the WLAN controller and the 7921/7925.
If you like you can bring this topic up to your local Cisco account team to discuss further.
Thanks!
06-05-2009 07:03 AM
Hi Michael,
Please can I ask. You state the following : That there is no fast roaming for WPA2.
I need to get this straight in my Head.
WPA+TKIP+CCKM
WPA is just a standards name
TKIP=is Key Managment and encyption
CCKM=Fast roaming capability
WPA2+TKIP+CCKM
WPA2 is just a standards name
TKIP=is Key Managment and encyption
CCKM=Fast roaming capability
Why cant you use CCKM with WPA2? I thought with WPA2 you had the choise to use either PKC or CCKM?
Is that incorrect?
Many thx indeed,
Ken
06-05-2009 07:29 AM
Also mate,
Can I just confirm this really important point (some people may think im bonkers)!
WPA and WPA2
These are just names for a collection of protocols. Ie a Framework including, 802.1x, eap, psk, tkip, aes, pkc, cckm, etc etc
WPA and WPA2 does not actually do anything. Correct?
Many thx indeed, This is really important for me :)
Many thx
Ken
Am I correct?
06-05-2009 03:09 PM
WPA and WPA2 are the key management schemes and standards from the WiFi Alliance.
There are enterprise and personal versions, where enterprise requires 802.1x and personal uses a pre-shared key.
Currently CCKM is only supported with WPA + TKIP.
PKC is not the long-term vision for fast roaming and not supported by 792x clients.
06-08-2009 01:01 AM
OK, very sorry about this mate.
You say that WPA and WPA2 are the key managment schemes.
Would you mind letting me know what the difference is?
Is it that WPA2 uses RSN to exchange keys and WPA does not. If so, What does WPA use?
The way I always understood it is that EAP (well EAPOL) the 4 way handshake is the key managment scheme, and this is the same in WPA and WPA2, then if a client roams, CCKM could be used for "roaming" key managment (Cisco proprietry) for WPA, as there is no standards based roaming key managment in WPA, and PKC for "roaming" key managment for WPA2?
Also, why is CCKM not supported on WPA2 if Cisco thinks thta CCKM is way forward?
Im sorry, I am a little confused about this?
Many thx
Ken
06-08-2009 06:32 AM
Michael, and all,
Please could you review this spreadsheet for me. I pull most of this from a Cisco press book, but this have added the roaming column and put some notes in there.
Please can you confirm the following SS is correct and these two notes.
* NOTE: Authentication Method and Key Management mean the same thing (pls see ps comment below)
** NOTE: Roaming Key Management is separate from First time Key management
Many thx indeed. It can just be so confusing and want to tie this up once and for all :)
ps. Should I split Authentication and Key management into two seperate columns, ie, would this be correct. Authentication is 802.1x and eap is the key management?
Many thx
Ken
06-08-2009 06:36 AM
06-21-2009 10:05 AM
There are supplicant changes needed to support WPA2+CCKM, which is why it's not supported today.
For your spreadsheet, it looks good for the most part except no fast roaming with WPA-PSK, so remove CCKM.
Also add CCKM for WPA2.
You can also do WPA(AES) and WPA2(TKIP), although they are not recommended or common configurations as it is typically WPA(TKIP) and WPA2(AES).
No fast roaming support when using WPA2 and the 792xG.
06-22-2009 03:20 AM
Many thx for the info mate.
Im a little confused though, you say that WPA2+CCKM is not supported, but then say add CCKM for WPA2?
Sorry about this, just a little confused?
Kind regards,
Ken
06-28-2009 11:24 PM
Ok, if your doc is 792xG specific, then drop CCKM for WPA2. I thought this doc was not 792xG specific and was listing possibilities. WPA2 + CCKM is a CCX v5 feature, which the 792xG does not support.
If you enable WPA2, then there will be no fast roaming used when the 792xG roams from AP to AP and will hit the RADIUS server for each roam.
06-29-2009 10:49 PM
Hi Michael,
Once again, many thx for all you help to-date. It has been invaluable!!
Yes I found this out to my cost.
Now. Here are a couple of points.
The VoWLAN design guides and 792xG deployment guides list everything in them. PKC, CCKM, WPA, WPA2, TKIP, AES, bla bla bla.
On the 792x Deployment guides. Why cant they have a statement saying "The 802.11i RSN framework", ie WPA2 "in full" is not supported on our phones.
I raised this with AS as I was mightly disapointed. Im over it now. Had BEER :)
So, does anyone know when the phones will be fully compiant with the 802.11i standard?
Also, when speaking to TAC, there was a misconception that if you run WPA2, you must run AES, but 802.11i states you can run TKIP and we do.
***** The 802.11i IEEE document is a must read for anyone. *****
Also, on another point, would you know of a vendor phone that has the following capabilities and runs with the CUWN.
1. A Radio
2. 802.11i compliant
3. can run skinny client
Once again, many thank for the great help :)
Kind regards,
Ken
06-29-2009 11:39 PM
Ok first off the 7921G and 7925G are WPA/WPA2 certified.
7921G
http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
7925G
http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
There is a statement there in regards to WPA2+CCKM on page 10.
Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
Cisco Centralized Key Management (CCKM)
When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: