Monday, February 6, 2012

Cisco WLC Now Supports PMK Caching, Finally!

I was sifting through the newly released Cisco 7.2.103.0 release notes in order to update the feature enhancements that I posted about over at the NSAShow website from the brief availability of version 7.2.101.0. Given my recent article on Wi-Fi Roaming Complexity that included a breakdown of the various types of roaming that exist, I thought it would be pertinent to point out the addition of Static PMK Caching support in the latest version of Cisco WLC code.

From the Cisco WLC 7.2.103.0 Release Notes:


Most client devices only support Static PMK Caching and not Proactive / Opportunistic Key Caching (PKC/OKC). This includes common enterprise devices including Windows 7 and ruggedized mobile devices from Motorola (to name a few).

But Cisco WLCs never supported static PMK caching, only OKC/PKC. This is something that our wireless team went back and forth with Cisco on a few years ago when we were running version 4.2 code. We were testing our Motorola mobile devices as part of our change management process to verify correct operation and performance with a configuration change from WPA-TKIP to WPA2-AES. Previously, we had been using CCKM for fast roaming, but Motorola did not have CCKM support for WPA2. In our traces we would see static PMK caching roams a large percentage of the time. Talking with our Advanced Services support rep. and reading Cisco documentation, we should NOT have been seeing this occur. The only official support within a WLC was for OKC/PKC.

After about a dozen calls with Cisco TAC, trace files being shared, and additional verification, TAC's response was that the WLC actually had enough information to re-assemble the PMKID the client was sending for each individual AP. It wasn't storing it, but was able to regenerate it from other information that was being kept on the client session. So static PMK caching was actually working, but they could not support it. The reason cited was due to memory concerns if they had to cache individual encryption keys for every client on every AP they visited, which could grow quite large. Given a large enough AP deployment and enough clients, I understand this concern.

It was just an interesting case in something working that shouldn't have been :)

With version 7.2.103.0, it's finally nice to see official support for static PMK caching, even though it was working before. I wonder if I execute a "show pmk-cache all" command on a WLC if I'll see multiple entries per wireless client now? I'll have to test in the lab to find out!

Cheers,
Andrew

12 comments:

  1. And there is now AAA override support for HREAP AP's (now completely rebranded to FlexConnect)! Hooray!

    ReplyDelete
  2. the dynamic vlan assignment over h-reap with local switching made me fist pump

    ReplyDelete
  3. Dynamic VLAN assignment is very cool. Thanks for the details on PMK caching, very interesting.

    It appears WCS doesn't need to be upgraded?

    ReplyDelete
  4. Hmmm Cisco is pulling a disappearing act on release notes again.

    http://www.cisco.com/en/US/products/ps10315/prod_release_notes_list.html

    The software is available to download, but no RNs.

    Anyone care to share them? Thanks.

    ReplyDelete
  5. Stephen,
    The 7.2.103.0 release notes are available on Cisco's website. The 7.2.101.0 notes were pulled and likely will not be published again.

    Andrew

    ReplyDelete
  6. What will be response if the AP doesn't recognize the PMK ID submitted by the client? OR PMK caching is disabled on the AP for some reason?

    ReplyDelete
    Replies
    1. If the AP doesn't recognize the PMK ID submitted by the client, it will proceed with EAP authentication (EAP-Request-Identity).

      Andrew

      Delete
  7. Andrew, I'm a bit confused with terminology. Cisco docs seem to refer to Sticky key caching, whereas you seem to use the phrase Static key caching in this & other articles.

    Are static & sticky key caching the same thing?

    Thanks

    Nigel

    ReplyDelete
    Replies
    1. Hi Nigel,
      Yes, the two mean the same thing. They refer to the PMK caching on a per-AP basis that was included in 802.11i amendment, which is not shared between APs.

      Cheers,
      Andrew

      Delete
  8. I cannot roam between APs with windows 7, I have enabled CCKM and fast roaming as prescribed by my tac engineer. As soon as I leave one AP and move to another I can no longer ping or roam. I turn my card off and back on and I am connected to the next AP. Any help would be much appreciated.

    thanks

    ReplyDelete
  9. I am unable to roam between aps on windows 7. As soon as I connect to a different AP I can no longr ping or browse. When I turn my card off/on I re-associate to the new AP and am back up, etc... etc... etc... Any ideas would be appreciated.

    thanks,

    ReplyDelete