Monday, August 18, 2008

Cisco and Nokia Dual-Mode Part II : CCKM

After having made everything work with EAP-MSCHAPv2 (check out chapter one) I started the fine tuning session, thus finding some roaming issues.

In the Nokia IntelliSync Call Connect Datasheet (here) it is clear that the E-series are CCXv3 compatible.

On the Cisco side, this document says that CCKM with EAP-PEAP (MSCHAP) authentication is supported only with CCXv4 compatible devices.

Finally, the authentication provided by MS IAS on our infrastructure do not support LEAP (alternative to PEAP) so we need to move to a Cisco RADIUS authenticator i.e. ACS (at least in this phase, later we'll use the Cisco ACS 4 as a proxy vs. domain authentication).

Ok, we have to move from EAP-PEAP (MSCHAPv2) to EAP-LEAP protocol authenticating on Cisco ACS.

Here's the cisco doc on configuring the Cisco ACS for LEAP.

Once configured, we'll have to change both WLC and Phone's configuration.

The Wireless LAN Controller (from WCS):

Note on the last tab that DHCP Addr. Assignment Required should UNchecked otherwise you could ask for a new IP at each roaming session.

The Nokia Phone :

-Connection name : VoWLAN
-Databearer : Wireless WAN
-WLAN netw. name: TEST-ACS
-Network status: Hidden
-WLAN netw. mode: Infrastructure
-WLAN security mode: 802.1x (NOT WPA/WPA2)
-WLAN security settings :
--WPA mode: EAP
--EAP plug-in settings:
---EAP-LEAP (select only this, put in the higher position and disable all the others) :

---EAP-LEAP Configuration :
----User name: [Your radius user name]
----Prompt password: No
----Password: [Your radius password]

Now set this connection in the SCCP Profile and the registration to Always On (in chapter one you can find more info and links on this).

How can I see if CCKM is active ? Obviously user experience is useful, i.e., fast roaming is easily noticeable when speaking and walking togheter. However sometimes you could experience some holes in conversation without knowing if you have misconfigured CCKM or the WLAN coverage is not excellent, or both.

Debugging a client on the WLC will give you immediate evidence on this.

This Cisco doc is very useful to understand the entire process, however simply checking for a simple word in the debug output is simpler :

On the WLC issue the command "debug client [mac address of the Nokia device]" (here's how to see the nokia device's WLAN mac address).

Now start a conversation (ip obviously) with the nokia device and start walking so forcing a roaming. Each roaming makes the debug session display a huge amount of information about authentication, dot1x, etc (debugging...).
If CCKM is well configured, you should see in the roaming session output

CCKM: Mobile is using CCKM

and NOT see

Received EAPOL-key in REKEYNEGOTIATING state

If you normally experience correct fast roaming (CCKM) sessions and only sometimes you find key renegotiation (together with worse user experience) then you should check WLAN coverage in that areas, however CCKM should be well configured.

Hope this helps.

1 comment:

freealx said...

Hi there! Nice explanation - congrats.
So, EAP-PEAP (MSCHAPv2) is straightforward and well documented, but do you have something about EAP-PEAP (Cisco) on Nokia WLAN access?