Even if you only have 1 AP, and it has an SSID that needs to support CCKM, that 1 AP needs to be a WDS and register to itself as an AP. The WGB does not need to participate in WDS in this scenario as it's just a client.
Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Mon, Feb 10, 2014 at 1:19 PM, Jay Killion (jakillio) <[email protected]>wrote: > Ah, I didn't even think about CCKM requiring WDS but that makes perfect > sense when you think of the need to distribute keys. That's a good nugget > to keep in mind - if the requirement is for CCKM with multiple autonomous > AP's then it's inherently asking for WDS as well. > > And good note on 'network eap', thanks for the reminder. > > Thanks Jeff > > From: Jeff Rensink <[email protected]> > Date: Monday, February 10, 2014 10:08 AM > To: Jay Killion <[email protected]> > Cc: "[email protected]" <[email protected] > > > Subject: Re: [OSL | CCIE_Wireless] AAP - WGB not compatible with CCKM? > > I would suggest two things. > > First, any time you do AP to AP associations, I recommend configuring > the "authentication network-eap" command. I don't think that's the issue > here, as it works without the CCKM option. But go ahead and put it in. > > Second, you need to have WDS operating for CCKM to work in the > autonomous world. I'm guessing that this is your issue. I replicated your > scenario and with WDS, the WGB never even showed up int the associations > list. ONce I got WDS working on the root AP, it worked. Here is my config > under the SSID on the root. > > authentication open eap eap_methods > authentication network-eap eap_methods > authentication key-management wpa version 2 cckm > > and the association details (once WDS was running) > > AAP1#sho dot11 ass acf2.c5ea.cac2 > Address : acf2.c5ea.cac2 Name : AAP2 > IP Address : 10.10.110.101 Interface : Dot11Radio 0 > Device : *WGB *Software Version : NONE > CCX Version : 5 Client MFP : Off > > State : *EAP-Assoc * Parent : self > > SSID : fork-01 > VLAN : 17 > Hops to Infra : 1 Association Id : 1 > Clients Associated: 0 Repeaters associated: 0 > Tunnel Address : 0.0.0.0 > Key Mgmt type : *CCKM *Encryption : AES-CCMP > Current Rate : 48.0 Capability : WMM ShortHdr > ShortSlot > > Regards, > > > > Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> > > CCIE # 24834 :: Wireless / R&S > > :: World-Class Cisco Certification Training > > Direct: +1.810.326.1444 > > :: Free Videos <http://www.youtube.com/ipexpertinc> > > :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> > > :: CCIE Blog <http://blog.ipexpert.com/> > :: Twitter <http://www.twitter.com/ipexpert> > > > On Mon, Feb 10, 2014 at 9:38 AM, Jay Killion (jakillio) < > [email protected]> wrote: > >> Hi all - >> >> I'm going back through WB1 and have hit an interesting issue with lab >> 3.12. It's a basic WGB lab with the requirement to "ensure only Cisco >> clients can associate" - which leads to CCKM. I configure the SSID as >> follows - >> >> dot11 ssid WGB-01 >> vlan 11 >> authentication open eap eap_methods >> authentication key-management wpa version 2 cckm >> >> With this configuration, I can't even get the WGB to associate. But >> simply remove "cckm" from the authentication key and everything immediately >> begins working. Something I'm missing? If CCKM can't be used, how else >> would you only allow Cisco clients? >> >> Here's an example of what I see on the root. >> >> *(Set auth to WPA2 only - Working)* >> AAP1(config)#dot11 ss WGB-01 >> AAP1(config-ssid)#auth k w v 2 >> AAP1(config-ssid)# >> >> AAP1#sh dot11 ass >> >> 802.11 Client Stations on Dot11Radio0: >> >> SSID [WGB-01] : >> >> MAC Address IP address Device Name Parent >> State >> 0024.c4a1.e852 10.10.110.101 WGB AAP2 self >> EAP-Assoc >> 2477.033d.da08 0.0.0.0 ccx-client AAP1 self >> AAA_Auth >> >> >> *(Set auth to WPA2/CCKM - AAP2 drops and won't associate)* >> AAP1(config)#dot11 ss WGB-01 >> AAP1(config-ssid)#auth k w v 2 c >> >> AAP1#sh dot11 ass >> AAP1# >> >> Thanks - >> >> Jay Killion, CCIE #17873 >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
