Need your advice. I have been asked what technique we could use for "Pre-emptive Roaming" within the Cisco Centralised WLAN architecture?
FYI: This customer has WLAN (2*WLC4404 with approx. 120APs) implemented in layer3 LWAPP transport mode.
Fast roaming algorithms include Cisco Centralized Key Management (CCKM) and Proactive Key Caching (PKC). CCKM and PKC allow a WLAN client to roam to a new AP and re-establish a new session key known as the Pairwise Transient Key (PTK) between the client and AP without requiring a full IEEE 802.1X/EAP reauthentication to a AAA/RADIUS server.
Both CCKM and PKC are Layer-2 roaming algorithms in that they to not consider any Layer-3 issues such address IP address changes. In the Cisco Unified Wireless Network, clients are allocated IP addresses from subnets that originate at the WLC not the AP. In this way, it is possible to group large numbers of WLAN clients for a given SSID into the same Layer-2 subnet. This maximizes the scope of the Layer-2 domain and the Fast Secure Roaming domain. Additionally, multiple-WLC deployments support client roaming across APs managed by WLCs in the same mobility group on the same or different subnets. This roaming is transparent to the client because the session is sustained and a tunnel between the WLCs allows the client to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains active.
As I mentioned at the start, they have got WLAN implemented in layer3 LWAPP tranasport mode and they have got layer 3 enabled instead of layer2. Please correct me if I am missing something on WLAN; Is that mean they would not be able to use Cisco Centralized Key Management (CCKM) or Proactive Key Caching (PKC)roaming techniques as they are layer2 roaming algorithsms.
You are referring to LWAPP transport mode. Is recommended to use L3 which means that the APs will use IP to communicate to the controllers. L2 mode has been disabled in the later versions. This has nothing to do with fast roaming (CCKM or PKC) though. Just need to enable CCKM if using WPA (TKIP). PKC is for WPA2 (AES). Would suggest to check client documentation to see which fast roaming protocols are supported.
Thanks a lot mate. Is this mean that we cant use CCKM with WPA2 at all as CCKM is meant to be used for WPA(TKIP) and it is vendor independent as it is given to other WLAN vendors on lease by Cisco ( I believe, correct me if I wrong). If I go ahead and recommend using WPA2-PKC, does this allow similar features like CCKM especially talking to other vendors NIC cards, IP phones, etc.
In terms our systems, we have the latest 5.1 on WLCs and the latest IOS on the LAPs (forgot the version umber).
I understand from your mail that there is nothing to do with the fast roaming, but till so far the documents I have been through explains about L2 and L3 roaming techniques and algorithms, so was just confused on this part.
I take it then I have to stop worrying about L2 and L3 roaming techniques as I believe we have to run both for intra-controller and inter-controller scenarios (should LAPs are of different subnets).
Is anyone got good doc explaining comparison between PKC and CCKM.
yes, you won't be CCKM, and you don't need it because you're using controller
CCKM is used only with standalone points.
One thing on what i would look - if you have more than one controller they have to be in one mobility group, because roaming between APs which are on different controller (and they're not in MG) takes much longer, and for example, your calls will be dropped.
Thanks a lot mate. You have spotted this well, there is actually one MG. The only point I was confused in was L2 and L3 roam.
So, was my statement right on that we have to implement L2 and L3 roaming techs. for the intra and inter controller roaming scenerios?
Finally , after your guidance here is my conclusion on roaming, could you please correct me if I am wrong;
"For L2 roams with WPA2-AES, we need to use PKC as roaming algorithm and for L3 roams using Symmetrical Mobility Tunnelling with WPA2-AES, we can also use PKC as fast roaming algorithm".
Thanks again mate for all help.
Not true. CCKM and PKC are supported by the WLAN controller, but only when using WPA or WPA2. PKC is WPA2 specific. CCKM not supported with 802.1x+WEP on the WLAN controller. Most Cisco clients support CCKM for fast roaming with 802.1x or WPA, but maybe not WPA2. Have to check client documentation. If you are planning to use AES, then PKS would be the route to go and there is no special config on the WLAN controller to enable that.
You may want to take a look at the Mobility SRND for more info.
If planning to enable L3 mobility, either via AP group VLANs are roaming between WLAN controllers where the interface bound to the same SSID is in a different VLAN, then should enable symmetric tunneling.
This wireless is totally a new world to me and doing my head on roaming.
So if we are going ahead with L3 mobility solution with symmetric tunneling then do we have to use PKC at all or does it uses some other type of algorithm with WPA2 in L3 roaming scenerio.
These are different topics. You can still do fast roaming even when do L3 mobility. Can use CCKM or PKC there. Check that Mobility SRND which has a lot of info.