Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Experience when moving to WDS + CCKM with WPA?

I have 1231G IOS APs on 12.3(7)JA2, and my users are doing WPA + TKIP, using the Microsoft zero config client on XP. Users do notice a slight delay when moving from AP to AP thanks to the need to reauth to the Radius server each time. I plan on moving to the WDS config, and enabling CCKM on the SSIDs to give users the benefits of WDS thanks to the cached creds. I'm wondering - if you have made the same move already, did users see a significant enough improvement to take notice?

New Member

Re: Experience when moving to WDS + CCKM with WPA?

Cisco Employee

Re: Experience when moving to WDS + CCKM with WPA?

You will need a client that supports CCKM, if you enable it on the AP's - the client need to support the cached credentials. Windows zero config client on XP doesn't support CCKM, so you'll have to go for a CCX compatible client - check for a list of CCX compatible devices, and for the relevant CCX version. If you use PEAP or TLS, the table ("Mobility" section) directs you to CCX v4 clients.

I recently did an informal test using 12.3(8)JA and WDS using ACS 3.3 as the RADIUS server - result: Using Cisco CB21 a/b/g adapters and WPA/TKIP, I could do a fast roam on the Cisco PEAP (MS-CHAPv2) client, with cached credentials.

On the Intel Centrino 2200BG adapter, using the ProSet client ( driver, ProSet), I had to use WEP/802.1x/CKIP in order to get fast roaming using PEAP MS-CHAPv2 to work - WPA/TKIP wasn't supported for PEAP. According to the above support info, the Intel client is CCXv3 compliant, so PEAP support shouldn't be expected, but it does actually work on the WEP/802.1x/CKIP combination.

When CCKM works for fast roaming, it is pretty seamless - the RADIUS server is not involved at all, when moving from one AP to another with a secure authenticated connection. This reduces the roam time quite dramatically.

You should note that the delay you encounter with the Microsoft zero client is dependant on the load on the RADIUS server, the efficiency of the RADIUS server and the delay between AP and server.