The OEAP 600 series does not
support fast roaming for clients. Dual mode voice clients will experience
reduced call quality when they roam between the two spectrums on OEAP602 access
point. We recommend that you configure voice devices to only connect on one
band, either 2.4 GHz or 5 GHz.
The Cisco WLC software
supports CCX versions 1 through 5. CCX support is enabled automatically for
every WLAN on the controller and cannot be disabled. The controller stores the
CCX version of the client in its client database and uses it to limit client
functionality. Clients must support CCXv4 or v5 in order to use CCKM. For more
information about CCX, see the Configuring Cisco Client Extensions section.
In a unified
architecture where multiple VLAN clients are supported for a WGB, you also need
to configure encryption cipher suite and WEP keys globally, when the WEP
encryption is enabled on the WGB. Otherwise, multicast traffic for wired VLAN
Information About WLAN for Static WEP
You can configure up to four
WLANs to support static WEP keys.
Follow these guidelines when configuring a WLAN for static
When you configure static WEP
as the Layer 2 security policy, no other security policies can be specified.
That is, you cannot configure web authentication. However, when you configure
static WEP as the Layer 2 security policy, you can configure web
encryption method is not supported. The last release to support this method was
Release 7.0 (188.8.131.52 and later 7.0 releases).
Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standard’s ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these options are also available:
802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
PSK—When you choose PSK (also known as WPA preshared key or WPA passphrase), you need to configure a preshared key (or a passphrase). This key is used as the pairwise master key (PMK) between the clients and the authentication server.
CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate with the new access point and derive a new session key during reassociation. CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.
When CCKM is enabled, the behavior of access points differs from the controller's for fast roaming in the following ways:
If an association request sent by a client has CCKM enabled in a Robust Secure Network Information Element (RSN IE) but CCKM IE is not encoded and only PMKID is encoded in RSN IE, then the controller does not do a full authentication. Instead, the controller validates the PMKID and does a four-way handshake.
If an association request sent by a client has CCKM enabled in RSN IE but CCKM IE is not encoded and only PMKID is encoded in RSN IE, then AP does a full authentication. The access point does not use PMKID sent with the association request when CCKM is enabled in RSN IE.
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/ 802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for WPA1, and AES is the default value for WPA2.
Configuring WPA1+WPA2 (GUI)
WLANs to open the
Click the ID number of the
desired WLAN to open the
> Edit page.
Layer 2 tabs to
> Edit (Security > Layer 2) page.
WPA+WPA2 from the
Layer 2 Security drop-down list.
Under WPA+WPA2 Parameters, select the
WPA Policy check
box to enable WPA1, select the
WPA2 Policy check
box to enable WPA2, or select both check boxes to enable both WPA1 and WPA2.
The default value is disabled
for both WPA1 and WPA2. If you leave both WPA1 and WPA2 disabled, the access
points advertise in their beacons and probe responses information elements only
for the authentication key management method that you choose in
AES check box to
enable AES data encryption
TKIP check box to
enable TKIP data encryption for WPA1, WPA2, or both. The default values are
TKIP for WPA1 and AES for WPA2.
Choose one of the following
key management methods from the Auth Key Mgmt drop-down list:
Cisco OEAP 600 does not
support CCKM. You must choose either 802.1X or PSK.
For Cisco OEAP 600, the TKIP
and AES security encryption settings must be identical for WPA and WPA2.
If you chose PSK in
Step 7, choose
HEX from the PSK
Format drop-down list and then enter a preshared key in the blank text box. WPA
preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal
parameter is a set-only parameter. The value set for the PSK key is not visible
to the user for security reasons. For example, if you selected HEX as the key
format when setting the PSK key, and later when you view the parameters of this
WLAN, the value shown is the default value. The default is ASCII.
Apply to commit
Configuration to save your changes.
Configuring WPA1+WPA2 (CLI)
Disable the WLAN by entering
disable WPA for the WLAN by entering this command:
The default values are TKIP
for WPA1 and AES for WPA2.
You can enable or disable TKIP encryption only using the CLI. Configuring TKIP encryption is not supported in GUI.
When you have VLAN configuration on WGB, you need to configure the encryption cipher mode and keys for a particular VLAN, for example,
encryption vlan 80 mode ciphers tkip. Then, you need configure the encryption cipher mode globally on the multicast interface by entering the following command:
encryption mode ciphers tkip.
Enable or disable 802.1X, PSK, or CCKM authenticated key management by entering this command:
If you enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with CCKM authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the client when necessary. The timer is based on the timeout value received from the AAA server or the WLAN session timeout setting. To see the amount of time remaining before the timer expires, enter this command:
If you enabled WPA2 with 802.1X authenticated key management, the controller supports both opportunistic PMKID caching and sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching (SKC), the client stores multiple PMKIDs, a different PMKID for every AP it associates with. Opportunistic PMKID caching (OKC) stores only one PMKID per client. By default, the controller supports OKC.