Opportunistic Key Caching

Information about Opportunistic Key Caching

Opportunistic Key Caching (OKC) is an enhancement of the WPA2 Pairwise Master Key ID (PMKID) caching method, which is why it is also named Proactive or Opportunistic PMKID Caching. Just like PMKID caching, OKC works with WPA2-EAP.

The OKC technique allows wireless clients and the WLAN infrastructure to cache only one PMK for client association with a WLAN, even when roaming between multiple APs because they all share the original PMK that is used for the WPA2 4-way handshake. This is required to generate new encryption keys every time a client reassociates with APs. For APs to share the original PMK from a client session, they must all be under a centralized device that caches and distributes the original PMK to all the APs.

Just as in PMKID caching, the initial association to an AP is a regular first-time authentication to the corresponding WLAN, where you must complete the entire 802.1X/EAP authentication for the authentication server, and the 4-way handshake for key generation, before sending data frames.

OKC is a fast roaming technique supported by Microsoft and some Android clients. Another fast roaming method is the use of 802.11r, which is supported by Apple and few Android clients. OKC is enabled by default on a WLAN. This configuration enables the control of OKC on a WLAN. Disabling OKC on a WLAN disables the OKC even for the OKC-supported clients.

A new configuration is introduced for each WLAN in the controller in Cisco IOS XE Amsterdam 17.2.1, to disable or enable fast and secure roaming with OKC at the corresponding AP.

Enabling Opportunistic Key Caching

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name wlan-identifier <1-4096> ssid-network-name

Example:

Device(config)# wlan wlan-profile-name 18 san-ssid

Enters WLAN configuration submode. wlan-profile-name: Profile name of the configured WLAN.

Step 3

okc

Example:

Device(config-wlan)# okc

Enables Opportunistic Key Caching, if not enabled. By default, the OKC feature is enabled. (Use the no form of this command to disable the OKC feature.)

Verifying Opportunistic Key Caching

The following example shows how to verify whether OKC is disabled for a WLAN profile.

  • Device# show wlan id 18 
    WLAN Profile Name     : 18%wlanprofile
    ================================================
    Identifier                                     : 18
    Description                                    :
    Network Name (SSID)                            : san-ssid
    Status                                         : Disabled
    Broadcast SSID                                 : Enabled
    Advertise-Apname                               : Disabled
    Universal AP Admin                             : Disabled
    Max Associated Clients per WLAN                : 0
    Max Associated Clients per AP per WLAN         : 0
    Max Associated Clients per AP Radio per WLAN   : 200
    OKC                                            : Disabled
    Number of Active Clients                       : 0
    CHD per WLAN                                   : Enabled
    WMM                                            : Allowed
    Channel Scan Defer Priority:
      Priority (default)                           : 5
      Priority (default)                           : 6
    Scan Defer Time (msecs)                        : 100
    Media Stream Multicast-direct                  : Disabled
    CCX - AironetIe Support                        : Disabled
    Peer-to-Peer Blocking Action                   : Disabled
    Radio Policy                                   : All
  • Device# show run wlan 
    wlan name 2 ssid-name
    wlan test 24 test
    wlan test2 15 test2
    wlan test4 12 testssid
     radio dot11a
    wlan wlan1 234 wlan1
    wlan wlan2 14 wlan-aaa
     security dot1x authentication-list realm
    wlan wlan7 27 wlan7
    wlan test23 17 test23
    wlan wlan_1 4 ssid_name
     security dot1x authentication-list authenticate_list_name
    wlan wlan_3 5 ssid_3
     security wpa wpa1
     security wpa wpa1 ciphers aes
    wlan wlan_8 9 ssid_name
     no security wpa
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     no security wpa akm dot1x
     security web-auth
    wlan test-wlan 23 test-wlan
    wlan wlan-test 1 wlan2
     mac-filtering default
    wlan 18%wlanprofile 18 san-ssid
     no okc