Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
7-11
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 7 Cisco Unified Wireless Hybrid REAP
Hybrid REAP
Roaming
As stated earlier, when an H-REAP AP is in connected mode, all client probes, association requests,
802.1x authentication requests, and corresponding response messages are exchanged between the
H-REAP and the WLC via the LWAPP control plane. This is true for open, static WEP, and WPA
PSK-based WLANs even though LWAPP connectivity is not required to use these authentication
methods when the AP is in standalone mode.
802.1x authentication requests, and corresponding response messages are exchanged between the
H-REAP and the WLC via the LWAPP control plane. This is true for open, static WEP, and WPA
PSK-based WLANs even though LWAPP connectivity is not required to use these authentication
methods when the AP is in standalone mode.
•
Dynamic WEP/WPA—A client that roams between H-REAP APs using one of these key
management methods performs full authentication each time it roams. After successful
authentication, new keys are passed back to the AP and client. This behavior is no different than a
standard centralized WLAN deployment, except that in an H-REAP topology, there can be link
delay variations across the WAN, which can in turn impact total roam time. Depending on the WAN
characteristics, RF design, backend authentication network, and authentication protocols being
used, roam times may vary from 50 ms to 1500 ms.
management methods performs full authentication each time it roams. After successful
authentication, new keys are passed back to the AP and client. This behavior is no different than a
standard centralized WLAN deployment, except that in an H-REAP topology, there can be link
delay variations across the WAN, which can in turn impact total roam time. Depending on the WAN
characteristics, RF design, backend authentication network, and authentication protocols being
used, roam times may vary from 50 ms to 1500 ms.
•
WPA2—To improve client roam times, WPA2 introduced key caching capabilities, based on the
IEEE 802.11i specification. Cisco created an extension to this specification called Proactive Key
Caching (PKC). PKC today is supported only by the Microsoft Zero Config Wireless supplicant and
the Funk (Juniper) Odyssey client. Cisco’s CCKM is also compatible with WPA2.
IEEE 802.11i specification. Cisco created an extension to this specification called Proactive Key
Caching (PKC). PKC today is supported only by the Microsoft Zero Config Wireless supplicant and
the Funk (Juniper) Odyssey client. Cisco’s CCKM is also compatible with WPA2.
H-REAP does not support PKC, regardless of whether a WLAN is centrally or locally switched. As
such, PKC-capable clients that roam between H-REAP APs undergo full 802.1x authentication.
Remote branch locations requiring predictable, fast roaming behavior in support of applications
such as wireless IP telephony should consider deploying a local WLC (Cisco WLC2100 or
NM-WLC for Integrated Service routers).
such, PKC-capable clients that roam between H-REAP APs undergo full 802.1x authentication.
Remote branch locations requiring predictable, fast roaming behavior in support of applications
such as wireless IP telephony should consider deploying a local WLC (Cisco WLC2100 or
NM-WLC for Integrated Service routers).
•
Cisco Centralized Key Management (CCKM)—CCKM is a Cisco-developed protocol in which the
WLC caches the security credentials of CCKM-capable clients and forwards those credentials to
other APs within a mobility group. When a client roams and associates with another AP, their
credentials are forwarded to that AP, which allows the client to re-associate and authenticate in a
two-step process. This eliminates the need for full authentication back to the AAA server. H-REAP
APs currently do not support CCKM fast roaming. Therefore, CCKM-capable clients undergo full
802.1x authentication each time they roam from one H-REAP to another.
WLC caches the security credentials of CCKM-capable clients and forwards those credentials to
other APs within a mobility group. When a client roams and associates with another AP, their
credentials are forwarded to that AP, which allows the client to re-associate and authenticate in a
two-step process. This eliminates the need for full authentication back to the AAA server. H-REAP
APs currently do not support CCKM fast roaming. Therefore, CCKM-capable clients undergo full
802.1x authentication each time they roam from one H-REAP to another.
•
Layer 2 switch CAM table updates—When a client roams from one AP to another on a locally
switched WLAN, the H-REAP currently does not announce to a Layer 2 switch that the client has
changed ports. The switch will not discover that the client has roamed until the client performs an
ARP request for its default router. This behavior, while subtle, can have an impact on roaming
performance.
switched WLAN, the H-REAP currently does not announce to a Layer 2 switch that the client has
changed ports. The switch will not discover that the client has roamed until the client performs an
ARP request for its default router. This behavior, while subtle, can have an impact on roaming
performance.
Note
A client that roams (for a given local switched WLAN) between HREAPs that map the WLAN to a
different VLAN/subnet will renew their IP addresses to ensure that they have an appropriate address for
the network to which they have roamed.
different VLAN/subnet will renew their IP addresses to ensure that they have an appropriate address for
the network to which they have roamed.
Radio Resource Management
While in connected mode, all Radio Resource Management (RRM) functionality is fundamentally
available. However, because typical H-REAP deployments comprise a smaller number of APs, RRM
functionality may not be operational at a branch location. For example, in order for transmit power
control (TPC) to work, there must be a minimum of four H-REAPs in proximity to each other. Without
TPC, other features such as coverage hole protection will be unavailable. For more information
regarding Cisco Auto RF functionality, see
available. However, because typical H-REAP deployments comprise a smaller number of APs, RRM
functionality may not be operational at a branch location. For example, in order for transmit power
control (TPC) to work, there must be a minimum of four H-REAPs in proximity to each other. Without
TPC, other features such as coverage hole protection will be unavailable. For more information
regarding Cisco Auto RF functionality, see