11-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 11 Configuring Authentication Types
Understanding Authentication Types
Figure 11-4 Sequence for MAC-Based Authentication
Combining MAC-Based, EAP, and Open Authentication
You can set up the access point to authenticate client devices using a combination of MAC-based and
EAP authentication. When you enable this feature, client devices that associate to the access point using
802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client
device joins the network. If MAC authentication fails, EAP authentication takes place. See the
“Assigning Authentication Types to an SSID” section on page 11-10 for instructions on setting up this
combination of authentications.
Using CCKM for Authenticated Clients
Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one
access point to another without any perceptible delay during reassociation. An access point on your
network provides Wireless Domain Services (WDS) and creates a cache of security credentials for
CCKM-enabled client devices on the subnet. The WDS access point’s cache of credentials dramatically
reduces the time required for reassociation when a CCKM-enabled client device roams to a new access
point. When a client device roams, the WDS access point forwards the client’s security credentials to the
new access point, and the reassociation process is reduced to a two-packet exchange between the
roaming client and the new access point. Roaming clients reassociate so quickly that there is no
perceptible delay in voice or other time-sensitive applications. See the “Assigning Authentication Types
to an SSID” section on page 11-10 for instructions on enabling CCKM on your access point. See the
“Configuring Access Points as Potential WDS Devices” section on page 12-9 for detailed instructions
on setting up a WDS access point on your wireless LAN.
Note The RADIUS-assigned VLAN feature is not supported for client devices that associate using SSIDs with
CCKM enabled.
Access point
or bridge
Wired LAN
Client
device
Server
1. Authentication request
2. Authentication success
3. Association request
4. Association response
(block traffic from client)
5. Authentication request
6. Success
7. Access point or bridge unblocks
traffic from client
65584