Cisco Support Community
Community Member

Autonomous AP with CCKM

hi Experts,

Merry Christmas to everyone.

I am currently studying/testing security with autonomous APs and encountered an issue with configuring CCKM. For some reason my wireless clients are not able to get connected to the network when i use CCKM as key management, I am using local authentication with EAP-FAST, and my configuraiton as below:

aaa group server radius local_group

server auth-port 1812 acct-port 1813

aaa authentication login local_eap_methods group local_group

dot11 ssid cckm_test

  vlan 600

  authentication open eap local_eap_methods

  authentication network-eap local_eap_methods

  authentication key-management wpa cckm

  mbssid guest-mode

then under radio d0, I have:

encryption vlan 600 mode ciphers aes-ccm

then under local radius server config, I have:

radius-server local
  no authentication mac
  eapfast server-key primary 7 7521265549561E467E23EA3EC038BBEA5C
  nas key 7 02050D4808095E731F
  group eap_fast_test
    vlan 600
    eapfast pac expiry 14
    ssid cckm_test

radius-server host auth-port 1812 acct-port 1813 key 7 14141B180F0B7B7977

I have tried to use different cliets/drivers for testing, and non of my clients actually, currenty I am testing with a 7925 wireless phone, and set the authentication to EAP-FAST, I noticed that if I change AP configuration under key management to wpa2 (this is the only change I made), then the 7925 phone could connect as soon as i made the change, looking through the configuration I could not see which part i configured wrong, I have also tested with wpa2 + cckm however this still failed, when i did "show dot11 association", I could not even see the phone trying to connect to the SSID, and from the phone or PC, the client seems not even trying to connect. so debugs did not really show any output.

there might be something mismatch between my AP conifguration and client, which causing them not trying to talk ot each other,  however i could not find out what it is. I am running the latest version of code on the AP, and with the phone, I am running 1.4.1 firmware, can anyone please help to find out what I have missed in the configuration?

any comments would be highly appreciated.




Re: Autonomous AP with CCKM

Change your ciphers from AES to TKIP. Unless the client is CCXv5 it won't support AES with CCKM

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: Autonomous AP with CCKM

To piggy back on Steves comment. CCKM came along as a means for key caching by Cisco way back in the day. Your devices would need to support CCKM. In some cases, for example apple, will not connect at all when CCKM is enabled.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Community Member

Re: Autonomous AP with CCKM

hi Stephen and George,

thanks for your ureply, actually I did my test with 7925 phone and in the  1.3.4 firmeare release notes, it states that this version got full CCKM support,  I did my test with 1.4.1 firmware version and I think CCKM should also be  supported in this version:

I remember I have tested the same with WLC based APs and I got no problems  with connecting to the WLC (WPA2 CCKM witih local auth using EAP-FAST, with AES  enabled).

is there anything else which could be missed here?

thanks for your time and help.



Re: Autonomous AP with CCKM

Andy I would try setting the IOS AP to TKIP. Although the release notes say it is fully supported there are times that things might be fully supported on a WLC but not in Autonomous for example.

Also, make sure you have aironet IE enabled on the Autonomos AP.

CreatePlease to create content