Specifications
10-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 10 Configuring Authentication Types
Understanding Authentication Types
Combining MAC-Based, EAP, and Open Authentication
You can set up the access point to authenticate client devices using a combination of MAC-based and
EAP authentication. When you enable this feature, client devices that associate to the access point using
802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client
device joins the network. If MAC authentication fails, the access point waits for the client device to
attempt EAP authentication. See the “Assigning Authentication Types to an SSID” section on
page 10-10 for instructions on setting up this combination of authentications.
Using CCKM for Authenticated Clients
Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one
access point to another without any perceptible delay during reassociation. An access point on your
network provides Wireless Domain Services (WDS) and creates a cache of security credentials for
CCKM-enabled client devices on the subnet. The WDS access point’s cache of credentials dramatically
reduces the time required for reassociation when a CCKM-enabled client device roams to a new access
point. When a client device roams, the WDS access point forwards the client’s security credentials to the
new access point, and the reassociation process is reduced to a two-packet exchange between the
roaming client and the new access point. Roaming clients reassociate so quickly that there is no
perceptible delay in voice or other time-sensitive applications. See the “Assigning Authentication Types
to an SSID” section on page 10-10 for instructions on enabling CCKM on your access point. See the
“Configuring Access Points as Potential WDS Access Points” section on page 11-8 for detailed
instructions on setting up a WDS access point on your wireless LAN.
Note The RADIUS-assigned VLAN feature is not supported for client devices that associate using SSIDs with
CCKM enabled.
Figure 10-5 shows the reassociation process using CCKM.
Figure 10-5 Client Reassociation Using CCKM
88964
Reassociation request
Reassociation response
Pre-registration request
Pre-registration reply
Roaming client
device
Access point Access point
providing Wireless
Domain Services
Authentication server
Wired LAN