Cckm Fast Secure Roaming; Reporting Access Points That Fail Leap Authentication - Cisco Aironet CB21AG Installation And Configuration Manual

Setting Security Parameters

CCKM Fast Secure Roaming

Some applications that run on a client device may require fast roaming between access points. Voice
applications, for example, require it to prevent delays and gaps in conversation. CCKM fast secure
roaming is enabled automatically for CB21AG and PI21AG clients using WPA/WPA2/CCKM with
LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2). However, this feature
must be enabled on the access point.
During normal operation, EAP-enabled clients mutually authenticate with a new access point by
performing a complete EAP authentication, including communication with the main RADIUS server.
However, when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients
securely roam from one access point to another without the need to reauthenticate with the RADIUS
server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for
wireless domain services (WDS) uses a fast rekeying technique that enables Cisco client devices to roam
from one access point to another typically in under 150 milliseconds (ms). CCKM fast secure roaming
ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP
(VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
Note If you want to enable CCKM fast secure roaming on the client adapter, you must choose the
WPA/WPA2/CCKM security option on the Profile Management (Security) window, regardless of
whether you want the adapter to use WPA or WPA2. The configuration of the access point to which your
client adapter associates determines whether CCKM will be used with 802.1x, WPA, or WPA2.
Access points must use Cisco IOS Release 12.2(11)JA or later to enable CCKM fast secure roaming.
Note
Refer to the documentation for your access point for instructions on enabling this feature.
The Microsoft Wireless Configuration Manager and the Microsoft 802.1X supplicant, if installed, must
Note
be disabled in order for CCKM fast secure roaming to operate correctly. If your computer is running
Windows XP and you chose to configure your client adapter using ADU during installation, these
features should already be disabled. Similarly, if your computer is running Windows 2000, the Microsoft
802.1X supplicant, if installed, should already be disabled. Refer to
information.

Reporting Access Points that Fail LEAP Authentication

The CB21AG and PI21AG client adapters and the following access point firmware versions support a
feature that is designed to detect access points that fail LEAP authentication:
•
•
•
•
•
•
An access point running one of these firmware versions records a message in the system log when the
client discovers and reports another access point in the wireless network that has failed LEAP
authentication.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
5-20
12.00T or later (access points running VxWorks)
Cisco IOS Release 12.2(4)JA or later (1100 series access points)
Cisco IOS Release 12.2(8)JA or later (1200 series access points)
Cisco IOS Release 12.2(13)JA or later (350 series access points)
Cisco IOS Release 12.3(4)JA (1130 series and BR 1310 series access points)
Cisco IOS Release 12.3(7)JA (1240 series access points)
Chapter 5 Configuring the Client Adapter
Chapter 10 if you need additional
OL-4211-05