Cisco Cisco Aironet 1200 Access Point 技术参考
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Implementing the Cisco SWAN Framework
31
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide
OL-6217-01
The tunnel source, network attributes and state, registered access points with tunnel end-points for the
mobility group, and the registered mobile in the mobility group are shown:
mobility group, and the registered mobile in the mobility group are shown:
sup720# show mobility network 4
Wireless Network ID: 4
Wireless Tunnel Source IP Address: 10.100.4.1
Wireless Network Attributes: Trusted
Wireless Network State: Up
Registered Access Point on Wireless Network 4:
AP IP Address AP Mac Address Wireless Network-ID
--------------- ------------------ -------------------
10.200.20.49
000b.fcfb.e836
4
Registered Mobile Nodes on Wireless Network 4:
MN Mac Address MN IP Address AP IP Address Wireless Network-ID
------------------ ----------------- ---------------- ----------------------
0004.e28b.2c28 172.16.4.3
10.200.20.49
4
00d0.59c8.60e1 172.16.4.2
10.200.20.49
4
Fast Secure Roaming with CCKM
WLAN clients by definition are mobile. The WLAN industry has standardized the IEEE 802.1X with
EAP authentication for secure authorization and access to the WLAN. The inherent mobility of WLAN
clients creates significant challenges in managing WLAN client authentications and encryption keys
within the 802.1X/EAP authentication framework. Significant problems arise from handling the
re-authentication of WLAN clients (as they move associations from one access point to another) and in
generating dynamic encryption keys for these clients. As clients roam, re-authentication and dynamic
key generation are fast so that service disruption does not occur, and WLAN client and network integrity
and security are maintained.
EAP authentication for secure authorization and access to the WLAN. The inherent mobility of WLAN
clients creates significant challenges in managing WLAN client authentications and encryption keys
within the 802.1X/EAP authentication framework. Significant problems arise from handling the
re-authentication of WLAN clients (as they move associations from one access point to another) and in
generating dynamic encryption keys for these clients. As clients roam, re-authentication and dynamic
key generation are fast so that service disruption does not occur, and WLAN client and network integrity
and security are maintained.
Cisco has addressed the challenge of fast secure roaming within the Cisco SWAN framework by defining
a key management scheme called CCKM. CCKM works when an 802.1X with EAP authentication
scheme is in place, as long as the client device supports it.
a key management scheme called CCKM. CCKM works when an 802.1X with EAP authentication
scheme is in place, as long as the client device supports it.
The basic concept is that the WDS maintains context awareness of all MNs within its WLAN control
domain. The WDS proxies initial authentication transactions with the RADIUS server and manages a
master set of encryption keys. The MN generates the same set of encryption keys independently after
initial authentication. When the MN roams to a new access point within the WLAN control domain, the
WDS can vouch for the MN on the new access point and generate new encryption keys for the access
point to use. The MN independently generates the same new encryption keys when it roams. The MN
can thus roam seamlessly within the WLAN control domain. CCKM includes protections against
common attack vectors like spoofing, replay attacks, or man-in-the-middle attacks.
domain. The WDS proxies initial authentication transactions with the RADIUS server and manages a
master set of encryption keys. The MN generates the same set of encryption keys independently after
initial authentication. When the MN roams to a new access point within the WLAN control domain, the
WDS can vouch for the MN on the new access point and generate new encryption keys for the access
point to use. The MN independently generates the same new encryption keys when it roams. The MN
can thus roam seamlessly within the WLAN control domain. CCKM includes protections against
common attack vectors like spoofing, replay attacks, or man-in-the-middle attacks.
This section focuses on what needs to be configured to use CCKM. The details and theory of operations
for CCKM are beyond the scope of this document. The configuration tasks required to use CCKM are
as follows:
for CCKM are beyond the scope of this document. The configuration tasks required to use CCKM are
as follows:
•
Configure the WDS for 802.1X client authentication
•
Configure the access point to use CCKM
•
Configure the WLAN client device if necessary
The details of configuring the WDS for client authentication are covered in the
," specifically in the sections on configuring the WDS-host
devices.