I would suggest two things. First, any time you do AP to AP associations, I recommend configuring the "authentication network-eap" command. I don't think that's the issue here, as it works without the CCKM option. But go ahead and put it in.
Second, you need to have WDS operating for CCKM to work in the autonomous world. I'm guessing that this is your issue. I replicated your scenario and with WDS, the WGB never even showed up int the associations list. ONce I got WDS working on the root AP, it worked. Here is my config under the SSID on the root. authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 cckm and the association details (once WDS was running) AAP1#sho dot11 ass acf2.c5ea.cac2 Address : acf2.c5ea.cac2 Name : AAP2 IP Address : 10.10.110.101 Interface : Dot11Radio 0 Device : *WGB *Software Version : NONE CCX Version : 5 Client MFP : Off State : *EAP-Assoc * Parent : self SSID : fork-01 VLAN : 17 Hops to Infra : 1 Association Id : 1 Clients Associated: 0 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : *CCKM *Encryption : AES-CCMP Current Rate : 48.0 Capability : WMM ShortHdr ShortSlot Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Mon, Feb 10, 2014 at 9:38 AM, Jay Killion (jakillio) <[email protected]>wrote: > Hi all - > > I'm going back through WB1 and have hit an interesting issue with lab > 3.12. It's a basic WGB lab with the requirement to "ensure only Cisco > clients can associate" - which leads to CCKM. I configure the SSID as > follows - > > dot11 ssid WGB-01 > vlan 11 > authentication open eap eap_methods > authentication key-management wpa version 2 cckm > > With this configuration, I can't even get the WGB to associate. But > simply remove "cckm" from the authentication key and everything immediately > begins working. Something I'm missing? If CCKM can't be used, how else > would you only allow Cisco clients? > > Here's an example of what I see on the root. > > *(Set auth to WPA2 only - Working)* > AAP1(config)#dot11 ss WGB-01 > AAP1(config-ssid)#auth k w v 2 > AAP1(config-ssid)# > > AAP1#sh dot11 ass > > 802.11 Client Stations on Dot11Radio0: > > SSID [WGB-01] : > > MAC Address IP address Device Name Parent > State > 0024.c4a1.e852 10.10.110.101 WGB AAP2 self > EAP-Assoc > 2477.033d.da08 0.0.0.0 ccx-client AAP1 self > AAA_Auth > > > *(Set auth to WPA2/CCKM - AAP2 drops and won't associate)* > AAP1(config)#dot11 ss WGB-01 > AAP1(config-ssid)#auth k w v 2 c > > AAP1#sh dot11 ass > AAP1# > > Thanks - > > Jay Killion, CCIE #17873 > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
