思科统一无线的技术交流-运营版本.ppt

* * * PKC is a feature enabled in Cisco 2006/410x/440x Series Controllers which permits properly equipped wireless clients to roam without full re-authentication with an AAA server. In order to understand PKC, you first need to understand Key Caching. Key Caching is a feature that was added to WPA2. This allows a mobile station to cache the master keys (Pairwise Master Key [PMK]) it gains through a successful authentication with an access point (AP), and re-use it in a future association with the same AP. This means that a given mobile device needs to authenticate once with a specific AP, and cache the key for future use. Key Caching is handled via a mechanism known as the PMK Identifier (PMKID), which is a hash of the PMK, a string, the station and the MAC addresses of the AP. The PMKID uniquely identifies the PMK. Even with Key Caching, a wireless station must authenticate with each AP it wishes to get service from. This introduces significant latency and overheads, which delay the hand-off process and can inhibit the ability to support real-time applications. In order to resolve this issue, PKC was introduced with WPA2. PKC allows a station to re-use a PMK it had previously gained through a successful authentication process. This eliminates the need for the station to authenticate against new APs when roaming. Therefore, in an intra-controller roaming, when a mobile device moves from one AP to another on the same controller, the client re-computes a PMKID using the previously used PMK and presents it during the association process. The WLC searches its PMK cache to determine if it has such an entry. If it does, it bypasses the 802.1X authentication process and immediately initiates the WPA2 key exchange. If it does not, it goes through the standard 802.1X authentication process. PKC is enabled by default with WPA2. Therefore, when you enable WPA2 as Layer 2 security under the WLAN configuration of the WLC, PKC is enabled on the WLC. Also, configure the AAA serv