Cisco Systems OL-6217-01 manual Fast Secure Roaming with Cckm

Page 31

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Implementing the Cisco SWAN Framework

The tunnel source, network attributes and state, registered access points with tunnel end-points for the mobility group, and the registered mobile in the mobility group are shown:

sup720# show mobility network 4 Wireless Network ID: 4

Wireless Tunnel Source IP Address: 10.100.4.1

Wireless Network Attributes: Trusted

Wireless Network State: Up

Registered Access Point on Wireless Network 4:

 

AP IP Address

AP Mac Address

Wireless Network-ID

 

---------------

------------------ -------------------

10.200.20.49

000b.fcfb.e836

4

 

Registered Mobile Nodes on Wireless Network 4:

 

MN Mac Address

MN IP Address

AP IP Address Wireless

Network-ID

------------------ -----------------

----------------

----------------------

0004.e28b.2c28

172.16.4.3

10.200.20.49

4

00d0.59c8.60e1

172.16.4.2

10.200.20.49

4

Fast Secure Roaming with CCKM

WLAN clients by definition are mobile. The WLAN industry has standardized the IEEE 802.1X with EAP authentication for secure authorization and access to the WLAN. The inherent mobility of WLAN clients creates significant challenges in managing WLAN client authentications and encryption keys within the 802.1X/EAP authentication framework. Significant problems arise from handling the re-authentication of WLAN clients (as they move associations from one access point to another) and in generating dynamic encryption keys for these clients. As clients roam, re-authentication and dynamic key generation are fast so that service disruption does not occur, and WLAN client and network integrity and security are maintained.

Cisco has addressed the challenge of fast secure roaming within the Cisco SWAN framework by defining a key management scheme called CCKM. CCKM works when an 802.1X with EAP authentication scheme is in place, as long as the client device supports it.

The basic concept is that the WDS maintains context awareness of all MNs within its WLAN control domain. The WDS proxies initial authentication transactions with the RADIUS server and manages a master set of encryption keys. The MN generates the same set of encryption keys independently after initial authentication. When the MN roams to a new access point within the WLAN control domain, the WDS can vouch for the MN on the new access point and generate new encryption keys for the access point to use. The MN independently generates the same new encryption keys when it roams. The MN can thus roam seamlessly within the WLAN control domain. CCKM includes protections against common attack vectors like spoofing, replay attacks, or man-in-the-middle attacks.

This section focuses on what needs to be configured to use CCKM. The details and theory of operations for CCKM are beyond the scope of this document. The configuration tasks required to use CCKM are as follows:

Configure the WDS for 802.1X client authentication

Configure the access point to use CCKM

Configure the WLAN client device if necessary

The details of configuring the WDS for client authentication are covered in the “Implementing the Cisco SWAN Framework” section on page 13," specifically in the sections on configuring the WDS-host devices.

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

 

OL-6217-01

31

 

 

 

Image 31
Contents Corporate Headquarters Cisco Aironet 1400 Series Wireless Bridge Deployment Guide N T E N T S Contents Book Title Xxxxx-xx Audience Acroymns and Terms Cisco Swan Framework Overview Cisco Swan Layers Cisco Swan Logical View Shows the access point-based WDS solution WDS Wlccp Cisco Swan Framework ComponentsHardware Components Software ComponentsImplementing the Cisco Swan Framework Common Tasks CiscoSecure ACS NAS Setup Adding Username and Password Credentials CiscoSecure ACS User Setup AAA-apconfig-radsrvuser username password password AAA-apconfig#radius-server localCiscoWorks Wlse Snmp Community Entry Screen CiscoWorks Wlse Telnet/SSH Credentials Entry Configuring the WDS Access Point Access Point-Based WDS Solution ConfigurationWds-apconfig#username username password password Wds-apconfig#hostname hostnameWds-apconfig#wlccp wds priority priority number Configuring the Infrastructure Access PointWds-apconfig#wlccp wnm ip address wlse ip address Infra-apconfig-line#access-class access-list number Managing the Access Points with the CiscoWorks WlseInfra-apconfig#hostname hostname Infra-apconfig#username username password passwordWds-ap#show wlccp wds ap Switch-Based WDS Solution ConfigurationValidating the Configuration Configuring the Catalyst 6500 SupervisorCreate the Vlan between the supervisor and Wlsm Configuring the WDS on the WlsmWlsmconfig#hostname hostname Wlsmconfig#snmp-server view iso iso includedWlsmconfig# wlccp wnm ip address wlse ip address Configuring the Infrastructure Access PointsInfra-apconfig#wlccp ap wds ip address wlsm ip address Wlsm# show wlccp wds ap Validating the SetupWlsm# show wlccp wnm status Mobility ap Sup720# show mobility statusFast Secure Roaming with Cckm Infra-apconfig-if-ssid#authentication network-eap eap-group When Using Multiple Encryption Types or VLANsInfra-apconfig#interface dot11Radio Infra-apconfig-if#encryption mode ciphers cipher-typeClick Profile Management Configuring ACU to use CckmCisco Swan Framework Radio Management Cisco Swan Radio Management FeaturesBuilding Tool Pop-Up Window Preparing to Use Cisco Swan Radio ManagementCisco Swan Radio Management Features Page OL-6217-01