Cisco Structured
Implementing the Cisco SWAN Framework
The tunnel source, network attributes and state, registered access points with tunnel
sup720# show mobility network 4 Wireless Network ID: 4
Wireless Tunnel Source IP Address: 10.100.4.1
Wireless Network Attributes: Trusted
Wireless Network State: Up
Registered Access Point on Wireless Network 4: |
| ||
AP IP Address | AP Mac Address | Wireless |
|
10.200.20.49 | 000b.fcfb.e836 | 4 |
|
Registered Mobile Nodes on Wireless Network 4: |
| ||
MN Mac Address | MN IP Address | AP IP Address Wireless | |
0004.e28b.2c28 | 172.16.4.3 | 10.200.20.49 | 4 |
00d0.59c8.60e1 | 172.16.4.2 | 10.200.20.49 | 4 |
Fast Secure Roaming with CCKM
WLAN clients by definition are mobile. The WLAN industry has standardized the IEEE 802.1X with EAP authentication for secure authorization and access to the WLAN. The inherent mobility of WLAN clients creates significant challenges in managing WLAN client authentications and encryption keys within the 802.1X/EAP authentication framework. Significant problems arise from handling the
Cisco has addressed the challenge of fast secure roaming within the Cisco SWAN framework by defining a key management scheme called CCKM. CCKM works when an 802.1X with EAP authentication scheme is in place, as long as the client device supports it.
The basic concept is that the WDS maintains context awareness of all MNs within its WLAN control domain. The WDS proxies initial authentication transactions with the RADIUS server and manages a master set of encryption keys. The MN generates the same set of encryption keys independently after initial authentication. When the MN roams to a new access point within the WLAN control domain, the WDS can vouch for the MN on the new access point and generate new encryption keys for the access point to use. The MN independently generates the same new encryption keys when it roams. The MN can thus roam seamlessly within the WLAN control domain. CCKM includes protections against common attack vectors like spoofing, replay attacks, or
This section focuses on what needs to be configured to use CCKM. The details and theory of operations for CCKM are beyond the scope of this document. The configuration tasks required to use CCKM are as follows:
•Configure the WDS for 802.1X client authentication
•Configure the access point to use CCKM
•Configure the WLAN client device if necessary
The details of configuring the WDS for client authentication are covered in the “Implementing the Cisco SWAN Framework” section on page 13," specifically in the sections on configuring the
Cisco Structured
| 31 |
| |
|
|