Fast Roaming (Cckm); Reporting Access Points That Fail Leap Or Eap-Fast Authentication - Cisco AIR-PCM352 - Aironet 350 Series 11Mbps Wireless LAN PC Card Adapter Installation And Configuration Manual

Overview of Security Features
Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
Note
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Fast Roaming (CCKM)

Some applications that run on a client device may require fast roaming between access points. Voice
applications, for example, require seamless roaming to prevent delays and gaps in conversation. Support
for fast roaming is available for LEAP- or EAP-FAST-enabled clients in firmware version 5.40.10 or
later.
During normal operation, LEAP- or EAP-FAST-enabled clients mutually authenticate with a new access
point by performing a complete LEAP or EAP-FAST authentication, including communication with the
main RADIUS server. However, when you configure your wireless LAN for fast roaming, LEAP- or
EAP-FAST-enabled clients securely roam from one access point to another without the need to
reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access
point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables
client devices to roam from one access point to another in under 150 milliseconds (ms). Fast roaming
ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP
(VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
This feature does not need to be enabled on the client adapter; it is supported automatically in client
adapter firmware version 5.40.10 or later. However, it must be enabled on the access point.
Access points must use Cisco IOS Release 12.2(11)JA or later to enable fast roaming. Refer to the
Note
documentation for your access point for instructions on enabling this feature.

Reporting Access Points that Fail LEAP or EAP-FAST Authentication

The following client adapter and access point firmware versions support a feature that is designed to
detect access points that fail LEAP or EAP-FAST authentication:
•
•
•
An access point running one of these firmware versions records a message in the system log when a
client running one of these firmware versions discovers and reports another access point in the wireless
network that has failed LEAP or EAP-FAST authentication.
The process takes place as follows:
1.
2.
3.
4.
Cisco Aironet 350 Series Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
5-14
Client adapter firmware version 5.40.10 or later
12.00T or later (340, 350, and 1200 series access points)
Cisco IOS Release 12.2(4)JA or later (1100 series access points)
A client with a LEAP or EAP-FAST profile attempts to associate to access point A.
Access point A does not handle LEAP or EAP-FAST authentication successfully, perhaps because
the access point does not understand LEAP or EAP-FAST or cannot communicate to a trusted LEAP
or EAP-FAST authentication server.
The client records the MAC address for access point A and the reason why the association failed.
The client associates successfully to access point B.
Chapter 5 Configuring the Client Adapter
OL-1375-04