I am currently studying/testing security with autonomous APs and encountered an issue with configuring CCKM. For some reason my wireless clients are not able to get connected to the network when i use CCKM as key management, I am using local authentication with EAP-FAST, and my configuraiton as below:
aaa group server radius local_group
server 192.168.20.115 auth-port 1812 acct-port 1813
aaa authentication login local_eap_methods group local_group
dot11 ssid cckm_test
authentication open eap local_eap_methods
authentication network-eap local_eap_methods
authentication key-management wpa cckm
then under radio d0, I have:
encryption vlan 600 mode ciphers aes-ccm
then under local radius server config, I have:
radius-server local no authentication mac eapfast server-key primary 7 7521265549561E467E23EA3EC038BBEA5C nas 192.168.20.115 key 7 02050D4808095E731F group eap_fast_test vlan 600 eapfast pac expiry 14 ssid cckm_test
I have tried to use different cliets/drivers for testing, and non of my clients actually, currenty I am testing with a 7925 wireless phone, and set the authentication to EAP-FAST, I noticed that if I change AP configuration under key management to wpa2 (this is the only change I made), then the 7925 phone could connect as soon as i made the change, looking through the configuration I could not see which part i configured wrong, I have also tested with wpa2 + cckm however this still failed, when i did "show dot11 association", I could not even see the phone trying to connect to the SSID, and from the phone or PC, the client seems not even trying to connect. so debugs did not really show any output.
there might be something mismatch between my AP conifguration and client, which causing them not trying to talk ot each other, however i could not find out what it is. I am running the latest version of code on the AP, and with the phone, I am running 1.4.1 firmware, can anyone please help to find out what I have missed in the configuration?
To piggy back on Steves comment. CCKM came along as a means for key caching by Cisco way back in the day. Your devices would need to support CCKM. In some cases, for example apple, will not connect at all when CCKM is enabled.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
thanks for your ureply, actually I did my test with 7925 phone and in the 1.3.4 firmeare release notes, it states that this version got full CCKM support, I did my test with 1.4.1 firmware version and I think CCKM should also be supported in this version:
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...