Does enabling CCKM on an SSID require a reboot?

Unanswered Question
Aug 11th, 2010

Hello,

I inherited an SSID configured for WPA2, authenticates with 802.1x through ACS and then AD, obviously I have some roaming trouble with Ascom phones at this site.

I just upgraded the SSID to support 802.1x + CCKM and in testing it made no difference, still had several seconds of dead air on some roams and I'm just wondering if it requres a reboot or something for the change to take affect?

Any thoughts? Thanks!

This is a 4404 on 4.2.207.0

Here are some logs which lead me to believe that it's not using CCKM:

(Cisco Controller) >debug client 00:01:3e:10:c7:f4

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 STA - rates (3): 4 11 150 12 18 24 36 48 72 96 108 0 0 0 0 0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 STA - rates (11): 4 11 150 12 18 24 36 48 72 96 108 0 0 0 0 0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Processing RSN IE type 48, length 38 for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received RSN IE with 1 PMKIDs from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: Received PMKID:  (16)

Wed Aug 11 12:31:52 2010:      [0000] cf 23 4c bf 24 71 61 b0 c1 8e 92 33 68 11 ed a6

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 No valid PMKID found in the cache for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Unable to compute a valid PMKID from dot1x PMK cache for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Found an entry in the global PMK cache for station 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Unable to compute a valid PMKID from global PMK cache for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [00:19:a9:fc:2a:e0]

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Updated location for station old AP 00:00:00:00:00:00-0, new AP 00:19:a9:fc:18:b0-0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 0.0.0.0 8021X_REQD (3) Initializing policy

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:19:a9:fc:18:b0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 apfPemAddUser2 (apf_policy.c:212) Changing state for mobile 00:01:3e:10:80:93 on AP 00:19:a9:fc:18:b0 from Associated to Associated

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Stopping deletion of Mobile Station: (callerId: 48)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending Assoc Response to station on BSSID 00:19:a9:fc:18:b0 (status 0)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 apfProcessAssocReq (apf_80211.c:3888) Changing state for mobile 00:01:3e:10:80:93 on AP 00:19:a9:fc:18:b0 from Associated to Associated

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Station 00:01:3e:10:80:93 setting dot1x reauth timeout = 0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Stopping reauth timeout for 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 dot1x - moving mobile 00:01:3e:10:80:93 into Connecting state

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAP-Request/Identity to mobile 00:01:3e:10:80:93 (EAP Id 1)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL EAPPKT from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received Identity Response (count=1) from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 EAP State update from Connecting to Authenticating for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 dot1x - moving mobile 00:01:3e:10:80:93 into Authenticating state

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Response state for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Processing Access-Challenge for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Req state (id=200) for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 WARNING: updated EAP-Identifer 1 ===> 200 for STA 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAP Request from AAA to mobile 00:01:3e:10:80:93 (EAP Id 200)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL EAPPKT from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAP Response from mobile 00:01:3e:10:80:93 (EAP Id 200, EAP Type 25)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Response state for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Processing Access-Challenge for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Req state (id=201) for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAP Request from AAA to mobile 00:01:3e:10:80:93 (EAP Id 201)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL EAPPKT from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAP Response from mobile 00:01:3e:10:80:93 (EAP Id 201, EAP Type 25)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Response state for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Processing Access-Challenge for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Req state (id=202) for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAP Request from AAA to mobile 00:01:3e:10:80:93 (EAP Id 202)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL EAPPKT from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAP Response from mobile 00:01:3e:10:80:93 (EAP Id 202, EAP Type 25)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Response state for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Processing Access-Accept for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Inserting AAA Override struct for mobile

        MAC: 00:01:3e:10:80:93, source 4

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Setting re-auth timeout to 0 seconds, got from WLAN config.

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Station 00:01:3e:10:80:93 setting dot1x reauth timeout = 0

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Stopping reauth timeout for 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Creating a PKC PMKID Cache entry for station 00:01:3e:10:80:93 (RSN 2)

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Adding BSSID 00:19:a9:fc:18:b5 to PMKID cache for station 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: New PMKID: (16)

Wed Aug 11 12:31:52 2010:      [0000] c1 f9 00 96 b5 9d 1c d4 30 8c 4c 8c b8 03 bc 0f

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Disabling re-auth since PMK lifetime can take care of same.

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAP-Success to mobile 00:01:3e:10:80:93 (EAP Id 202)

Wed Aug 11 12:31:52 2010: Including PMKID in M1  (16)

Wed Aug 11 12:31:52 2010:      [0000] c1 f9 00 96 b5 9d 1c d4 30 8c 4c 8c b8 03 bc 0f

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAPOL-Key Message to mobile 00:01:3e:10:80:93

                                                                                                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Entering Backend Auth Success state (id=202) for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received Auth Success while in Authenticating state for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 dot1x - moving mobile 00:01:3e:10:80:93 into Authenticated state

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL-Key from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Received EAPOL-key in PKT_START state (message 2) from mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Stopping retransmission timer for mobile 00:01:3e:10:80:93

Wed Aug 11 12:31:52 2010: 00:01:3e:10:80:93 Sending EAPOL-Key Message to mobile 00:01:3e:10:80:93

                                                                                                    state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Wed, 08/11/2010 - 15:22

I'm no expert on Ascom equipment but what does your particular model require?

It could be that the model's security and/or encryption setting is not compatible with what is being configured.

I can see an Ascom device (MAC address 00:01:3e:10:80:93) getting associated but something in 802.1X is causing issues.

bbxie Wed, 08/11/2010 - 21:28

From the log you provided, the WLC had created a PMK cach for the station by using PKC instead of CCKM which means the station not support CCKM which I believe is part of CCX4, that's why there's no difference when you configure "802.1x+CCKM". You can double check it by using "show pmk-cache all" in the WLC's CLI.

PKC and CCKM are quite similar, both of them use cached PMK and can do the fast secure roaming. In your case, was the station roaming from one WLC controlled AP to another WLC controlled AP, or just roaming between APs who were controlled by the same WLC? For the first situation, the two WLCs must be configured to belong to the same mobility group and the EoIP tunnel need to be enabled between them, then you can login to the two WLCs, use "show pmk-cache all" to see if the station already created a PMK in the two WLC, it should be something like:

Type          Station          Entry Lifetime

PKC          Station-MAC     time

If both WLCs have those PMK cache(PKC or CCKM), then you can redo the testing, this time the station should be able to do fast secure roaming. If only anchor WLC has this PMK cache, foreign WLC has not, then there won't have fast secure roaming, it is either because of these two WLCs are not in the same mobility group, or you need to wait some time for they to sync the PMK cache, or you have to check the station's firmware. BTW, your WLC still use version 4 which is quite old, you probably can upgrade it to redo the test. Also don't forget to check the station's firmware to see if it needs upgrade or the vendor just can't do CCKM or PKC well.

crazyguitarest Thu, 08/12/2010 - 07:26

Thank you all for the help!

There are three controllers in the mobility group. roaming between controllers can be fairly seemless and roaming within the same controller is sometimes seamless and sometimes takes a couple seconds of dead air.

The phones are Ascom I75 phones, which are updated to the latest firmware and claim to support CCKM.

(Cisco Controller) >show pmk-cache 00:01:3e:10:80:93

PMK-CCKM Cache
                            Entry
Type        Station         Lifetime   VLAN Override        IP Override
------    --------------    --------   ------------------   ---------------
RSN    00:01:3e:10:80:93   47275                             0.0.0.0

So the cache that the phone has is "RSN"?
I guess the phones are just choosing to use PMK over CCKM since the WLAN supports it.
Perhaps the best option for me is to go with local PEAP authentication through the controller?                        

Stephen Rodriguez Thu, 08/12/2010 - 08:39

not knowing the full config that you have on the WLAN, I'll speak to genearl best practices.

  What I have seen, is if you configure  WPA2/AES/802.1x+CCKM most clients choose to connect 802,1x and try to  use the IEEE standard aes-ccm algorith for key caching instead of CCKM,  since it is Cisco and non-standard

For WPA2/CCKM the client has to support CCXv5.

In general, I find that WPA/TKIP/CCKM seems to work alot better in most environments.  I also tend to not give the client the option to choose PMK over CCKM.

Can you try WPA/TKIP/CCKM(only) on a WLAN and let us know if that allows the seamless roaming you are looking for?

Cheers,

Steve

bbxie Thu, 08/12/2010 - 18:00

I'm not quite sure about what the RSN as Type in "show pmk-cache" means, however since RSN is  Robust Secure Network to establish a secured  com over 802.11 and will be exchanged between AP(probe response) and client(association request), it includes authentication and key management(for example, 802.1x key management), so I guess it just mean the PMK not using both PKC and CCKM, there's no fast secure roaming available yet.

Since inter WLC roaming has no problem, intra WLC roaming sometimes good, sometimes not, what's the configured session timeout for the WLAN? You can find that there's a output about lifetime in the "show pmk-cache" which means how long time left for the client to redo the authentication and regenerate the PMK. This lifetime is influenced by the configured session timeout in WLAN--Advanced. When the session timeout time run out, the client will require to redo auth which definately the client will have no seamless roaming at this time. Try to configure the session timeout to 0 so that it will not be required to redo auth and have a look if the roaming issue disappear. Definately you need to decide if you want to do this in real enviroment if your company have strict security policy. But you can have a try just to find out if it influences the roaming.

Stephen, do you have a defination about the Type when use "show pmk-cache"? BTW, you said CCKM need CCX5, however I found it says it is a CCXv4-compliant feature in page 7-22 of WLC configuration guide 7.0. Is the configuration guide wrong?

crazyguitarest Fri, 08/13/2010 - 07:37

Well let me clarify, both inter and intra controller roaming are generally clean, I just noticed the trouble alot less with inter because there's a lot less of that obviously.

I was thinking that the problem could be the session timeout but I found this:

(Cisco Controller) >show wlan 10

WLAN Identifier.................................. 10
Profile Name..................................... ---
Network Name (SSID).............................. ---
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control

  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
Number of Active Clients......................... 47
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ three vlan 403
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Platinum (voice)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Required
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... 802.1P (Tag=6)
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.244.16.11 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Enabled

         PSK..................................... Disabled

         CCKM.................................... Enabled

         FT(802.11r)............................. Disabled

         FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

   CKIP ......................................... Disabled

   IP Security................................... Disabled

   IP Security Passthru.......................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   H-REAP Learn IP Address....................... Enabled

   Infrastructure MFP protection................. Disabled

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Band Select...................................... Enabled

Load Balancing................................... Enabled

bbxie Sat, 08/14/2010 - 02:16

Aironet extension definately need to be enabled to support CCKM, test again after you enable it in the WLAN--Advanced

Actions

This Discussion

 

 

Trending Topics - Security & Network