Ah, I didn't even think about CCKM requiring WDS but that makes perfect sense when you think of the need to distribute keys. That's a good nugget to keep in mind – if the requirement is for CCKM with multiple autonomous AP's then it's inherently asking for WDS as well.
And good note on 'network eap', thanks for the reminder. Thanks Jeff From: Jeff Rensink <[email protected]<mailto:[email protected]>> Date: Monday, February 10, 2014 10:08 AM To: Jay Killion <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Wireless] AAP - WGB not compatible with CCKM? I would suggest two things. First, any time you do AP to AP associations, I recommend configuring the "authentication network-eap" command. I don't think that's the issue here, as it works without the CCKM option. But go ahead and put it in. Second, you need to have WDS operating for CCKM to work in the autonomous world. I'm guessing that this is your issue. I replicated your scenario and with WDS, the WGB never even showed up int the associations list. ONce I got WDS working on the root AP, it worked. Here is my config under the SSID on the root. authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 cckm and the association details (once WDS was running) AAP1#sho dot11 ass acf2.c5ea.cac2 Address : acf2.c5ea.cac2 Name : AAP2 IP Address : 10.10.110.101 Interface : Dot11Radio 0 Device : WGB Software Version : NONE CCX Version : 5 Client MFP : Off State : EAP-Assoc Parent : self SSID : fork-01 VLAN : 17 Hops to Infra : 1 Association Id : 1 Clients Associated: 0 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : CCKM Encryption : AES-CCMP Current Rate : 48.0 Capability : WMM ShortHdr ShortSlot Regards, Jeff Rensink : Sr Instructor : iPexpert<http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos<http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings<http://www.facebook.com/ipexpert> :: CCIE Blog<http://blog.ipexpert.com/> :: Twitter<http://www.twitter.com/ipexpert> On Mon, Feb 10, 2014 at 9:38 AM, Jay Killion (jakillio) <[email protected]<mailto:[email protected]>> wrote: Hi all - I'm going back through WB1 and have hit an interesting issue with lab 3.12. It's a basic WGB lab with the requirement to "ensure only Cisco clients can associate" - which leads to CCKM. I configure the SSID as follows - dot11 ssid WGB-01 vlan 11 authentication open eap eap_methods authentication key-management wpa version 2 cckm With this configuration, I can't even get the WGB to associate. But simply remove "cckm" from the authentication key and everything immediately begins working. Something I'm missing? If CCKM can't be used, how else would you only allow Cisco clients? Here's an example of what I see on the root. (Set auth to WPA2 only - Working) AAP1(config)#dot11 ss WGB-01 AAP1(config-ssid)#auth k w v 2 AAP1(config-ssid)# AAP1#sh dot11 ass 802.11 Client Stations on Dot11Radio0: SSID [WGB-01] : MAC Address IP address Device Name Parent State 0024.c4a1.e852 10.10.110.101 WGB AAP2 self EAP-Assoc 2477.033d.da08 0.0.0.0 ccx-client AAP1 self AAA_Auth (Set auth to WPA2/CCKM – AAP2 drops and won't associate) AAP1(config)#dot11 ss WGB-01 AAP1(config-ssid)#auth k w v 2 c AAP1#sh dot11 ass AAP1# Thanks - Jay Killion, CCIE #17873 _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
