Information about Opportunistic Key Caching
Opportunistic Key Caching (OKC) is an enhancement of the WPA2 Pairwise Master Key ID (PMKID) caching method, which is why it is also named Proactive or Opportunistic PMKID Caching. Just like PMKID caching, OKC works with WPA2-EAP.
The OKC technique allows wireless clients and the WLAN infrastructure to cache only one PMK for client association with a WLAN, even when roaming between multiple APs because they all share the original PMK that is used for the WPA2 4-way handshake. This is required to generate new encryption keys every time a client reassociates with APs. For APs to share the original PMK from a client session, they must all be under a centralized device that caches and distributes the original PMK to all the APs.
Just as in PMKID caching, the initial association to an AP is a regular first-time authentication to the corresponding WLAN, where you must complete the entire 802.1X/EAP authentication for the authentication server, and the 4-way handshake for key generation, before sending data frames.
OKC is a fast roaming technique supported by Microsoft and some Android clients. Another fast roaming method is the use of 802.11r, which is supported by Apple and few Android clients. OKC is enabled by default on a WLAN. This configuration enables the control of OKC on a WLAN. Disabling OKC on a WLAN disables the OKC even for the OKC-supported clients.
A new configuration is introduced for each WLAN in the controller in Cisco IOS XE Amsterdam 17.2.1, to disable or enable fast and secure roaming with OKC at the corresponding AP.
Enabling Opportunistic Key Caching
Procedure
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
wlan profile-name wlan-identifier <1-4096> ssid-network-name Example: |
Enters WLAN configuration submode. wlan-profile-name: Profile name of the configured WLAN. |
|
Step 3 |
okc Example: |
Enables Opportunistic Key Caching, if not enabled. By default, the OKC feature is enabled. (Use the no form of this command to disable the OKC feature.) |
Enabling Opportunistic Key Caching (GUI)
Procedure
|
Step 1 |
Choose Configuration > Tags & Profiles > WLANs. |
|
Step 2 |
Click Add. The Add WLAN dialog box is displayed. |
|
Step 3 |
In the Add WLAN dialog box, click the Advanced tab and complete the following procedure:
|
Verifying Opportunistic Key Caching
The following example shows how to verify whether OKC is disabled for a WLAN profile.
-
Device# show wlan id 18 WLAN Profile Name : 18%wlanprofile ================================================ Identifier : 18 Description : Network Name (SSID) : san-ssid Status : Disabled Broadcast SSID : Enabled Advertise-Apname : Disabled Universal AP Admin : Disabled Max Associated Clients per WLAN : 0 Max Associated Clients per AP per WLAN : 0 Max Associated Clients per AP Radio per WLAN : 200 OKC : Disabled Number of Active Clients : 0 CHD per WLAN : Enabled WMM : Allowed Channel Scan Defer Priority: Priority (default) : 5 Priority (default) : 6 Scan Defer Time (msecs) : 100 Media Stream Multicast-direct : Disabled CCX - AironetIe Support : Disabled Peer-to-Peer Blocking Action : Disabled Radio Policy : All -
Device# show run wlan wlan name 2 ssid-name wlan test 24 test wlan test2 15 test2 wlan test4 12 testssid radio dot11a wlan wlan1 234 wlan1 wlan wlan2 14 wlan-aaa security dot1x authentication-list realm wlan wlan7 27 wlan7 wlan test23 17 test23 wlan wlan_1 4 ssid_name security dot1x authentication-list authenticate_list_name wlan wlan_3 5 ssid_3 security wpa wpa1 security wpa wpa1 ciphers aes wlan wlan_8 9 ssid_name no security wpa no security wpa wpa2 no security wpa wpa2 ciphers aes no security wpa akm dot1x security web-auth wlan test-wlan 23 test-wlan wlan wlan-test 1 wlan2 mac-filtering default wlan 18%wlanprofile 18 san-ssid no okc
Feedback