Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Implementing the Cisco SWAN Framework

The tunnel source, network attributes and state, registered access points with tunnel end-points for the mobility group, and the registered mobile in the mobility group are shown:

sup720# show mobility network 4 Wireless Network ID: 4

Wireless Tunnel Source IP Address: 10.100.4.1

Wireless Network Attributes: Trusted

Wireless Network State: Up

Registered Access Point on Wireless Network 4:

 

AP IP Address

AP Mac Address

Wireless Network-ID

 

---------------

------------------ -------------------

10.200.20.49

000b.fcfb.e836

4

 

Registered Mobile Nodes on Wireless Network 4:

 

MN Mac Address

MN IP Address

AP IP Address Wireless

Network-ID

------------------ -----------------

----------------

----------------------

0004.e28b.2c28

172.16.4.3

10.200.20.49

4

00d0.59c8.60e1

172.16.4.2

10.200.20.49

4

Fast Secure Roaming with CCKM

WLAN clients by definition are mobile. The WLAN industry has standardized the IEEE 802.1X with EAP authentication for secure authorization and access to the WLAN. The inherent mobility of WLAN clients creates significant challenges in managing WLAN client authentications and encryption keys within the 802.1X/EAP authentication framework. Significant problems arise from handling the re-authentication of WLAN clients (as they move associations from one access point to another) and in generating dynamic encryption keys for these clients. As clients roam, re-authentication and dynamic key generation are fast so that service disruption does not occur, and WLAN client and network integrity and security are maintained.

Cisco has addressed the challenge of fast secure roaming within the Cisco SWAN framework by defining a key management scheme called CCKM. CCKM works when an 802.1X with EAP authentication scheme is in place, as long as the client device supports it.

The basic concept is that the WDS maintains context awareness of all MNs within its WLAN control domain. The WDS proxies initial authentication transactions with the RADIUS server and manages a master set of encryption keys. The MN generates the same set of encryption keys independently after initial authentication. When the MN roams to a new access point within the WLAN control domain, the WDS can vouch for the MN on the new access point and generate new encryption keys for the access point to use. The MN independently generates the same new encryption keys when it roams. The MN can thus roam seamlessly within the WLAN control domain. CCKM includes protections against common attack vectors like spoofing, replay attacks, or man-in-the-middle attacks.

This section focuses on what needs to be configured to use CCKM. The details and theory of operations for CCKM are beyond the scope of this document. The configuration tasks required to use CCKM are as follows:

Configure the WDS for 802.1X client authentication

Configure the access point to use CCKM

Configure the WLAN client device if necessary

The details of configuring the WDS for client authentication are covered in the “Implementing the Cisco SWAN Framework” section on page 13," specifically in the sections on configuring the WDS-host devices.

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

 

OL-6217-01

31

 

 

 

Page 31
Image 31
Cisco Systems OL-6217-01 manual Fast Secure Roaming with Cckm