cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2745
Views
10
Helpful
3
Replies

WPAv2-CP or WPAv2 - what's difference

Hi,

On a WLSM with about 60 x 1231 APs.

I login to AP & observe the output of this command,

sh dot11 associations all-client

For some clients "Key Mgmt type" is shown as WPAv2-CP and for other clients as WPAv2.

What's the difference & what does CP mean?

Google on cisco.com & search in cisco.com gove nothing.

Regards, MH

3 Replies 3

Rob Huffman
Hall of Fame
Hall of Fame

Hi Mark,

As usual the "elusive" info from Cisco. Have a look at this description;

If Your AP marks the client as "WPAv2-CP", then cached PMK is used,if is marked WPAv2 it is using a newly negotiated PMK.

PKC stands for Proactive Key Caching. It was designed as an extension to the 802.11i IEEE standard.

Key Caching is a feature that was added to WPA2. This allows a mobile station to cache the master keys (Pairwise Master Key [PMK]) it gains through a successful authentication with an access point (AP), and re-use it in a future association with the same AP. This means that a given mobile device needs to authenticate once with a specific AP, and cache the key for future use. Key Caching is handled via a mechanism known as the PMK Identifier (PMKID), which is a hash of the PMK, a string, the station and the MAC addresses of the AP. The PMKID uniquely identifies the PMK.

Even with Key Caching, a wireless station must authenticate with each AP it wishes to get service from. This introduces significant latency and overheads, which delay the hand-off process and can inhibit the ability to support real-time applications. In order to resolve this issue, PKC was introduced with WPA2.

PKC allows a station to re-use a PMK it had previously gained through a successful authentication process. This eliminates the need for the station to authenticate against new APs when roaming.

PKC is enabled by default with WPA2. Therefore, when you enable WPA2 as Layer 2 security under the WLAN configuration of the WLC, PKC is enabled on the WLC. Also, configure the AAA server and the wireless client for appropriate EAP authentication.

The supplicant used at the client side should also support WPA-2 in order for PKC to work. PKC can also be implemented in an inter-controller roaming environment.

From this doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00808b4c61.shtml

Hope this helps!

Rob

Hi Rob,

That's brilliant - thanks.

So does this mean the client marked WPAv2-CP roamed away from this AP at some earlier time and has now roamed back again? ie. does it indicate some historical information?

Regards, MH

Hi Mark,

You are always welcome. It sure does indicate that this client was associated with this AP at some point and is now using cached info :)

Hope this helps!

Rob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: