What is CCKM, and how does it affect Fast and Secure Roaming?
Some applications that run on a client device may require fast roaming between Access Points (APs). Voice applications, for example, require seamless roaming to prevent delays and gaps in conversation. Support for fast roaming is available for LEAP-enabled clients in Install Wizard version 1.1 or later.
CCKM Fast Secure Roaming
CCKM (Cisco Centralized Key Management) fast secure roaming is enabled automatically for CB21AG and PI21AG clients using WPA/WPA2/CCKM with LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2). However, this feature must be enabled on the access point.
During normal operation, EAP-enabled clients mutually authenticate with a new access point by performing a complete EAP authentication, including communication with the main RADIUS server. However, when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables Cisco client devices to roam from one access point to another typically in under 150 milliseconds (ms). CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
If you want to enable CCKM fast secure roaming on the client adapter, you must choose the WPA/WPA2/CCKM security option on the Profile Management (Security) window, regardless of whether you want the adapter to use WPA or WPA2. The configuration of the access point to which your client adapter associates determines whether CCKM will be used with 802.1x, WPA, or WPA2.
Access points must use Cisco IOS Release 12.2(11)JA or later to enable CCKM fast secure roaming. Refer to the documentation for your access point for instructions on enabling this feature.
The Microsoft Wireless Configuration Manager and the Microsoft 802.1X supplicant, if installed, must be disabled in order for CCKM fast secure roaming to operate correctly. If your computer is running Windows XP and you chose to configure your client adapter using ADU during installation, these features should already be disabled. Similarly, if your computer is running Windows 2000, the Microsoft 802.1X supplicant, if installed, should already be disabled. Refer to Chapter 10, if you need additional information.
Cisco Centralized Key Management (CCKM) helps to improve roaming. Only the client can initiate the roaming process, which depends on factors such as these:
- Overlap between APs
- Distance between APs
- Channel, signal strength, and load on the AP
- Data rates and output power
A wireless client that starts to search for a stronger signal depends on its roaming algorithm, which is different for different client cards. A Cisco wireless client card continualy scans for a better AP. This causes the client card to look for a better AP when the signal strength of its associated AP is less than the specified value.
The user can specify the time and signal strength in ACU version 6.1 or later, which is included in Install Wizard version 1.1 or later.
CCKM-authenticated client devices can roam from one AP to another without any perceptible delay during reassociation. An AP on the network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS APs cache of credentials dramatically reduces the time required for re-association when a CCKM-enabled client device roams to a new AP. When a client device roams, the WDS AP forwards the client's security credentials to the new AP. The re-association process is reduced to a two-packet exchange between the roaming client and the new AP. Roaming clients reassociate so quickly that there is no perceptible delay in voice or other time-sensitive applications.
CCKM (Cisco Centralized Key Management)
Wireless Domain Services (WDS)
CCKM settings can be configured on both the AP (Cisco IOS ) and the client. CCKM is not supported on Vx-works-based APs.