Cisco Compatible Extensions

Versions and Features

[an error occurred while processing this directive]

Versions and Features

Historically, there have been (5) five versions of the Cisco Compatible Extension (CCX) specification: Version 1 (V1), Version 2 (V2), Version 3 (V3), Version 4 (V4) and Version 5 (V5). Each version has built upon its predecessors. Cisco will continue to support Version 4 (V4) and Version 5 (V5) certifications and the V4 ASD certification until the new CCX Lite is fully available (est. June 2011) and some overlap period will be announced.

The table below lists the primary features of the Cisco Compatible program and, for each, the version or versions that include the feature. After the table is a reference of feature descriptions.

Currently, several features that are required for laptops are not required for application-specific devices (ASDs) that are used exclusively or primarily for data or voice applications. Data ASDs include data capture devices, PDAs, IP cameras and printers. Voice ASDs include single mode, dual mode and smartphones. Every feature that is optional for an ASD is represented in the ASD field as "optional".

CCX Lite Program

Cisco has developed and will be launching a segmented testing and certification program that offers a more modular method of testing and certifying the features that are most relevant to a given WiFi device. The program will initially consist of Foundation, Voice, Location and Management. Only "Foundation" will be required as the minimum test & certification level to achieve the "Cisco Compatible" credential as governed by the Cisco Developer Network (CDN) Program Agreement. The optional service modules will include "Voice", "Location" and "Management" to address what historically have been ASDs or new, evolving WiFi devices that require the specialized feature set. There will be more features and service modules added over time to address the pre-standard feature innovation and new WiFi devices.

Please note that this summary is not an item by item listing of the specification, but is more an overview of feature content.

Note 1: For an Application Specific Device (ASD), either LEAP, EAP fast or EAP-TLS is required.

Standards
v1 v2 v3 v4 v5 ASD CCX Lite (Available June 2011)

 

 
 
 
 
 
 
Foundation
Voice
Location
Management

IEEE 802.11x

X
X
X
X
X
X
X
 
 
 

Wi-Fi compliance

X
X
X
X
X
X
X
 
 
 

IEEE 802.1X

X
X
X
X
X
X
X
 
 
 

Windows Hardware Quality Labs (WHQL) – for Windows only

X
X
X
X
X
 
X

 

 

 

Wi-Fi Protected Access (WPA)

 
X
X
X
X
X
X
 
 
 

IEEE 802.11i – WPA2

 
 
X
X
X
X
X
 
 
 

Wi-Fi Multimedia (WMM)

 
 
X
X
X
X
 
X
 
 
Security
v1
v2
v3
v4
v5
ASD
Foundation
Voice
Location
Management

IEEE 802.1X

X
X
X
X
X
X
X
 
 
 

    LEAP

X
X
X
X
X
See note 1
 
 
 
 

    PEAP with EAP-GTC (PEAP-GTC)

 
X
X
X
X
optional
 
 
 
 

    EAP-FAST

 
 
X
X
X
See note 1
X
 
 
 

    PEAP with EAP-MSCHAPv2 (PEAP-MSCHAP)

 
 
 
X
X
optional
 
 
 
 

    EAP-TLS

 
 
 
X
X
See note 1
 
 
 
 

Wi-Fi Protected Access (WPA): 802.1X + WPA TKIP

 
X
X
X
X
X
X
 
 
 

    With LEAP

 
X
X
X
X
See note 1
 
 
 
 

    With PEAP-GTC

 
X
X
X
X
optional
 
 
 
 

    With EAP-FAST

 
 
X
X
X
See note 1
X
 
 
 

    With PEAP-MSCHAP

 
 
 
X
X
optional
 
 
 
 

    With EAP-TLS

 
 
 
X
X
See note 1
 
 
 
 

IEEE 802.11i – WPA2: 802.1X + AES

 
 
X
X
X
X
X
 
 
 

    With LEAP

 
 
X
X
X
See note 1
 
 
 
 

    With PEAP-GTC

 
 
X
X
X
optional
X
 
 
 

    With EAP-FAST

 
 
X
X
 
optional
X
 
 
 

    With PEAP-MSCHAP

 
 
 
X
X
optional
 
 
 
 

    With EAP-TLS

 
 
 
X
X
optional
 
 
 
 

Network Admission Control (NAC)

 
 

 

X

X

 

 

 

 

 

Management Frame Protection

 

 
 
 
X
X
X
 
 
 
Mobility
v1
v2
v3
v4
v5
ASD
Foundation
Voice
Location
Management

AP-assisted roaming

 
X
X
X
X
X
X 
 
 
 

Fast 802.1X reauthentication via Cisco Centralized Key Management (CCKM)

 

 

 
 
 
See note 1
X
 
 
 

    With LEAP

 
X
X
X
X
See note 1
X
 
 
 

    With EAP-FAST

 
 
X
X
X
See note 1
X
 
 
 

    With PEAP-GTC

 
 

 

X

X

 

X

 

 

 

    With PEAP-MSCHAP

 

 

 

X
X

 

X

 

 

 

    With EAP-TLS

 
 
 
X
X
optional
X
 
 
 

Status/result code Interpretation

 

 
 
X
X
 
 
 
 
 
Quality of Service (QoS) and VLANs
v1
v2
v3
v4
v5
ASD
Foundation
Voice
Location
Management

Interoperability with APs that support multiple SSIDs and VLANs

X
X
X
X
X
X
 
 
 
 

Wi-Fi Multimedia (WMM)

 
 
X
X
X
X
 
X
 
 

Call Admission Control

 
 
 
X
X
X
 
X
 
 

Expedited Bandwidth Request

 
 
 
X
X
optional
 
X
 
 
Performance and Management
v1
v2
v3
v4
v5
ASD
Foundation
Voice
Location
Management

RF scanning and reporting

 
X
X
X
X
X
X
 
 
 

AP-specified maximum transmit power

 
X
X
X
X
X
X
 
 
 

Facility for migrating from LEAP to EAP-FAST*

 
 
X
X
X
See note 1
-
 
 
 

Single signon on Windows for LEAP and EAP-FAST

 
 
X
X
X
optional
-
 
 
 

Recognition of proxy ARP information element

 
 
X
X
X
X
X
 
 
 

Keep Alive

 
 
 
X
X
optional
-
 
 
 

Link Test

 
 
 
X
X
optional
 
 
 
 X

UPSD

 
 
 
X
X
X
 
 
 
 

Voice Metrics

 
 
 
X
X
X
 
X
 
 

Location

 
 
 
X
X
optional
 
 
X
 

Performance

 

 
 
 
X
X
X
 
 
 
Troubleshooting connectivity
v1
v2
v3
v4
v5
ASD
Foundation
Voice
Location
Management

Diagnostic Channel

 

 
 
 
X
X
 
 
 
X

Client Reporting

 

 
 
 
X
X
 
 
 
X

Roaming and real time Diagnostics

 

 
 
 
X
X
 
 
 
X

Feature Descriptions

IEEE 802.11
The IEEE, in the 802.11 specification, defines standards for interoperability between a wireless LAN (WLAN) client device and a WLAN infrastructure product such as an AP: 802.11b, 802.11g, and 802.11a. A Cisco Compatible product must be compliant with one or more of 802.11b, 802.11g, and 802.11a.

WEP
WEP is a data encryption mechanism defined in the 802.11b standard. Because tools for hacking WEP keys are readily available, most organizations do not rely on WEP for protection of data transmitted over the air.

Wi-Fi Compliance
The Wi-Fi Alliance tests WLAN products to see if they comply with one or more of 802.11b, 802.11g, and 802.11a. Products that are certified as "Wi-Fi compliant" by the Alliance are interoperable with each other, even if they are from different manufacturers.

IEEE 802.1X
802.1X is the IEEE standard for port-based network access control. 802.1X provides an authentication framework where the user is authenticated by a central authority and authenticates that central authority. Authentication is done using an Extensible Authentication Protocol (EAP) type, such as LEAP, PEAP, or EAP-TLS. When used with WLANs, 802.1X provides not only strong and mutual authentication but also derivation of a dynamic encryption key.

WHQL
WHQL is a Microsoft facility that tests and certifies third-party hardware and driver products for compatibility with Windows operating systems. Products that meet the compatibility requirements are allowed to display Windows logos on product packaging, advertising, collateral, and other marketing materials, indicating that the product has met the standards of Microsoft and that the product works with Windows operating systems. Once a product has received the WHQL logo, it is listed on the Microsoft Hardware Compatibility List.

WPA
WPA is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA was designed to address the weaknesses of WEP. It is a subset of 802.11i, the ratified IEEE standard for WLAN security, and consists of:

  • An authentication mechanism: 802.1X or pre-shared keys
  • An encryption mechanism: Temporal Key Integrity Protocol (TKIP), as defined in 802.11i, which can be supported in software by products that support WEP

TKIP offers three advantages over WEP:

  • Longer initialization vector, which minimizes the chance that a key will be reused during a session
  • Key hashing, which results in a different key for each data packet
  • Message integrity check, which ensures that the message is not altered in transit between sender and receiver

Support for WPA is a requirement for Wi-Fi compliance. In other words, the Wi-Fi Alliance tests for WPA support as part of testing for Wi-Fi compliance. Lean more by reading the Wi-Fi Protected Access, WPA and IEEE 802.11I Q&A.

IEEE 802.11i - WPA2
802.11i is the ratified IEEE standard for WLAN security. WPA2 is the second generation of WPA security from the Wi-Fi Alliance. It describes those products that have passed the Alliance 's tests for 802.11i support. It consists of:

  • An authentication mechanism: 802.1X or pre-shared keys
  • An encryption mechanism: Advanced Encryption Standard (AES), as defined in 802.11i.

WPA2 with AES is eligible for FIPS 140-2 compliance. WPA2 will be a requirement for Wi-Fi compliance in 2006. Lean more by reading the Wi-Fi Protected Access, WPA and IEEE 802.11I Q&A.

WMM
WMM is a Wi-Fi Alliance definition of quality of service (QoS). It is a subset of 802.11e, the draft IEEE standard for QoS.

QoS refers to the capability of allocating shared network resources in such a way that selected network traffic, such as that for voice and multimedia applications, receives better service. With QoS, time-sensitive multimedia and voice application traffic receives a higher priority, greater bandwidth, and less delay than best-effort data traffic. With QoS, network managers can manage bandwidth more efficiently across LANs and WANs and even establish service-level agreements (SLAs) with their network users.

QoS provides enhanced and predictable network service by:

  • Supporting dedicated bandwidth for critical users and applications
  • Controlling jitter and latency (required by real-time traffic)
  • Managing and minimizing network congestion
  • Shaping network traffic to smooth the traffic flow
  • Setting network traffic priorities

LEAP
LEAP is an 802.1X (EAP) authentication type developed by Cisco that uses a username and static login password, usually a Windows login password. Cisco recommends that organizations implementing LEAP implement a strong password policy to protect the WLAN from dictionary attacks. Learn more by reading the LEAP Q&A

PEAP with EAP-GTC
PEAP is an 802.1X (EAP) authentication type where authentication follows this sequence of events:

  • The client uses a digital certificate to authenticate the authentication server
  • The client and server create an encrypted SSL/TLS tunnel
  • The server authenticates the client through EAP messages in the tunnel

With PEAP-GTC, authentication of the client occurs via EAP-GTC, which provides support for several types of passwords, including one-time passwords, to user databases such as Active Directory, Novell Directory Services, and those that use Lightweight Directory Access Protocol (LDAP). Learn more by reading the PEAP Q&A

EAP-FAST
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is a publicly accessible IEEE 802.1X EAP type developed by Cisco. It is available as an IETF informational draft. EAP-FAST provides protection from a variety of network attacks, EAP-FAST uses symmetric key algorithms to achieve a tunneled authentication process. Learn more by reading the EAP-FAST Q&A.

Cisco TKIP
Cisco TKIP is a Cisco implementation of TKIP and includes a hashing algorithm and a message integrity check.

AP-Assisted Roaming
AP-assisted roaming enables a client to roam from one AP to another more quickly by reducing the time that the client spends on scanning for available APs.

Fast 802.1X Reauthentication
Fast 802.1X reauthentication is dependent on Cisco Centralized Key Management (CCKM), a protocol for key management. When Cisco Centralized Key Management is used by both the 802.1X authenticator (typically the AP or a local network device with which the AP interacts) and the client, 802.1X reauthentication does not involve the authentication server, and the number of messages is reduced greatly. The result is 802.1X reauthentication in a few milliseconds.

Multiple SSIDs and VLANs
Many APs support multiple SSIDs and map each SSID to a VLAN. Such a setup allows support for different security types, different user classes, and different application types per SSID and VLAN. It is possible that the AP does not broadcast any of the SSIDs to WLAN clients.

Pre-Standard eDCF
Pre-standard eDCF provides a pre-WMM implementation of an element of 802.11e.

RF Scanning and Reporting
The radio environment reporting feature allows the client device to participate in the Cisco Integrated Wireless Network, Cisco Distributed WLAN Solution. Clients are enabled to provide specific radio environment information in a device's area of operation and report this information back to the network. This reporting will describe and report, in real time, any wireless anomalies affecting the surrounding client air space. Environment reporting allows mobile devices to detect and report any potential problems such as interference, rogue access points, and unauthenticated devices in the surrounding air space. This increases the overall security, visibility, manageability, and performance of the wireless network.

AP-Specified Maximum Transmit Power
Controlling the power output of clients from Cisco Aironet access points increases the reliability and performance of the wireless network. With the ability to identify the number of associated clients, cell sizes, and adjacent access point radio signals, the access points can determine the optimum power transmit power required for the clients. The ability to dynamically set client output power during the association process will increase the overall performance of the wireless network and improve WLAN device battery life.

Single Signon
With single signon, the user enters one set of authentication credentials (typically username and password), and those credentials are used for both wireless LAN authentication and domain login. In Version 3 of the specification, this requirement applies to LEAP and EAP-FAST only and is optional for ASDs.

Proxy ARP Recognition
Cisco access points support proxy ARP as defined in RFC 1027 to shield client devices in power-save mode from receiving ARPs that would wake up the client devices and consume some of their battery life. Proxy ARP is enabled by default but can be turned off. Whether or not proxy ARP is active on an AP is conveyed to the clients via the information element in the beacon. Only ASDs must recognize the proxy ARP information element.

CCKM support for EAP-types
Cisco Centralized Key Management is a protocol that enables fast 802.1X reauthentication, whereby the AP does not have to interact with an 802.1X authentication server in order to reauthenticate a client that previously was authenticated. In addition to CCKM-based re-authentication being fast, it also provides a survivability benefit in that it works even when the network link between the APs and the centralized authentication server is down.This feature provides CCKM support with all the relevant authentication types available. All popular 802.1X types will be available with CCKM support such as LEAP, EAP-FAST, EAP-PEAP-GTC, EAP-PEAP, EAP-MSCHAP, and EAP-TLS.

L2 Roaming Enhancements
The ability to classify clients and have the clients participate in the roaming process through information gathered from the infrastructure provides client devices to improve predictability, reliability, an overall network performance. In contrast if devices are not classified, categorized, or participative in the roaming decision, specific legacy devices and applications could disrupt overall network performance. Examples of enhanced roaming classifications are – ‘fast-roam’, ’slow roam’, ‘a/b/g only’.

Based on the classification of the clients by the network administrator as the Cisco Compatible Extensions device associates to the infrastructure, the access point will allow, deny or broadcast other AP’s in the area that can provide service for the associating client. If the AP has the ability to service the client, association will occur and the access point will provide a list of neighboring access points that also have the ability to service the Cisco Compatible Extensions device with the specific feature classifications.

Network Admission Control
Cisco Network Admissions Control (NAC) provides a new, comprehensive solution that allows organizations to enforce host patch policies and to regulate noncompliant and potentially vulnerable systems to quarantined environments with limited or no network access. By combining information about endpoint security status with network admission enforcement, Cisco NAC enables organizations to dramatically improve the security of their computing infrastructures.

Cisco Network Admission Control ("NAC") (aka Cisco Self-Defending Network) – comprehensive security solution that allows:

  • Organizations to enforce host patch policy
  • Network access to compliant and trusted devices and restricts access of noncompliant devices
  • Access decision is based on information such as the device’s anti-virus state and operating system patch level
  • Quarantine/segregate users based on virus, worm, revision levels vs. "clean" WLAN clients

SSIDL - Service Set Identifier List
SSIDL & MBSSID are two alternate methods to support SSIDs from the same AP. SSIDL provides a list of supported SSIDs in a supported beacon. With the classification of each BSSID as separate advertised BSSID element within SSIDL up to 16 VLAN/BSSID’s can be created and maintained. Additionally, specific attributes can be assigned to each SSIDL allowing more efficient use of the medium as broadcasting multiple beacons per BSSID is eliminated.

Call Admission Control (CAC)
To help address the problems of VoIP stability and roaming an initial Call Admission Control (CAC) scheme is required. With CAC, QoS will be maintained in a network overload scenario by ensuring that the number of active voice calls does not exceed the configured limits on the access point. With this feature, the client device will be capable of integrating layer 2 TSPEC admission control with layer 3 CCM admission control (RSVP). This facilitates providing a fast busy indication to the calling or called parties during times of network congestion. Ability reserve and control bandwidth for voice, improving the quality of voice calls. Good audio quality can now be maintained across low latency roams.

Unscheduled Automatic Power Save Delivery (U-APSD)
Client devices initiate all transactions in U-APSD mode. This allows for low latency transfer of voice packets while providing the client the opportunity to sleep between packet transfers in order to conserve battery power. It is estimated that this feature will improve the available talk time by 2-4 times over a phone not having this feature.

Voice Metrics
With the introduction of VoIP devices into standard WLAN networks the requirement for additional VoIP client heuristics is required for operation, troubleshooting, monitoring, and proactively reacting to changes in RF environments that could adversely affect call quality and handset operation. The voice specific WLAN client information reporting information elements include - Packet Jitter, Packet Loss and Roaming delay along with other information. The information collected and reported would provide network administrators the information required to predict and tune networks for optimum WLAN VoIP performance. The information will also assist network administrators in quickly isolating and distinguishing between problems on the wired vs. wireless network.

Wireless IDS
Support for this feature will require the option element frame reporting found in Cisco Compatible Extensions v2, to be a mandatory element in Cisco Compatible Extensions v4. This feature allows the wireless infrastructure to also use client measurements to do surveillance of the network.

EAP-FAST v4 Enhancements

  • Stateless session resume using PACs
  • Support of machine authentication using PAC
  • Use of other TLS cipher suites in phase 0 and 1 tunnel establishment and provisioning

MBSSID - Multiple Basic Service Set Identifier
The goals of MBSSID is to create unique beacon transmissions for each BSSID allowing access points to appear to client devices to be several distinct co-located AP’s or multiple-virtual AP’s. This allows up to: 8 MBSSIDs per radio or 16 MBSSIDs per AP (in a dual-radio AP), multiple multicast streams, support for existing clients with no changes/impact on client devices.

"Diagnostic Channel" Client Troubleshooting
The "Diagnostic Channel" automates the troubleshooting of client problems communicating with the WLAN. When Diagnostic Channel is triggered by a client experiencing communication difficulties, the client and AP will proceed through a defined set of tests and responses to identify the cause of the problem.

Management Frame Protection
Management Frame Protection (MFP) defines a means by which both client and APs can leverage the security mechanisms defined by IEEE 802.11i to also protect management frames (e.g. authenticated and associated). MFP ensures that all management frames are cryptographically hashed to create a Message Integrity Check (MIC). Another benefit of MFP is instant attack detection & prevention

Location Service
Through "Location Service" the network infrastructure can advertise location capabilities supported by the WLAN infrastructure and describes the location information that can be provided to CCXv5 clients (location-based content and client-locater services)

Expedited Bandwidth
Expedited Bandwidth ensures priority and quality of emergency calls, voice and data communications.

Status/result code Interpretation – Performance
Optimized roaming performance

[an error occurred while processing this directive]