SWAN Fast Secure Roaming (CCKM)

When you deploy EAP/802.1x as the security mechanism, you need to address performance aspects when a user roams from an AP to another AP (whether Layer 2 or Layer 3 roam). As discussed in previous chapters, during an 802.11 reassociation process, you must reauthenticate the WLAN user to avoid man-in-the-middle (MitM) attacks. A full EAP/802.1x authentication is likely to increase the roaming delay between the APs. In the case of a remote branch office, if the RADIUS authentication is to take place over a WAN link (such as a RADIUS infrastructure located at the headquarters [HQ]), this will further increase the roaming delay.

The roaming delay during EAP/802.1x reassociation might impact some applications, such as voice over IP (VoIP). If the roaming delay is to exceed 150 ms, the user is likely to notice jitter (that is, decreased voice quality). Therefore, you must expedite between APs roaming for devices enabled with latency/jitter-sensitive applications such as VoIP. The SWAN fast secure roaming feature expedites roaming (that is, 802.11 reassociation) for EAP/802.1x users using Cisco Centralized Key Management (CCKM). Essentially, CCKM is a centralized key management functionality that removes the need for full 802.1x reauthentication and 4-way handshake (as defined by 802.11i/WPA specifications to refresh the unicast keys) during the 802.11 roam process. Refer to Chapter 8, "WLAN Encryption and Data Integrity Protocols," for more discussion on 802.11i and WPA, including unicast key derivation via 4-way handshake.

As of this writing (summer of 2004), fast secure roaming is supported on Cisco and CCX clients for LEAP and EAP-FAST authentication. However, fast secure roaming is independent of the EAP authentication type and can be supported on any EAP type.

Figure 9-7 illustrates fast secure roaming in large campus network and remote branch office scenarios. As shown in the figure, switch-based WDS is used for fast secure roaming in a large campus environment (for scalability reasons). In the remote branch office deployment scenario, you can use an AP or branch office router (and possibly a low-end Catalyst switch) as the WDS. When you use a localized WDS in the remote branch office scenario, the WDS can expedite roaming for CCKM users (for example, LEAP with CCKM and WPA-TKIP enabled VoIP devices) without having to reauthenticate the users to the RADIUS server. As noted previously, this provides a considerable amount of improvement in roaming performance in a remote branch office scenario and accommodates delay/jitter-sensitive applications such as VoIP over WLAN.

Figure 9-7. Fast Secure Roaming Scenarios

During the initial EAP/802.1x authentication process of a WLAN client, credentials are cached on the WDS server. When the client roams, the cached credentials to expedite the roaming process. Thus, SWAN enables infrastructure-based, scalable, and centrally manageable fast secure roaming for EAP/802.1x users. Figure 9-8 illustrates the initial EAP/802.1x authentication process in a SWAN-enabled network for a WLAN client. As shown in the figure, the WLAN client discovers the fast secure roaming?enabled AP during the initial discovery process using WPA Information Element (IE) and associates to the AP (Step 1). During the initial association process, the WLAN client needs to negotiate the ciphers such as Cisco Temporal Key Integrity Protocol (Cisco TKIP, also known as CKIP) or WPA-TKIP (Wi-Fi Protected Access TKIP). This process is similar to initial WPA association.

Figure 9-8. Initial 802.1x CCKM Client Authentication

As shown in Figure 9-8, when the initial 802.11 association is successful (Step 2), the WLAN client authenticates with the WDS client AP, which relays the authentication request using the WLCCP protocol to the WDS server (Step 3). The WDS server communicates with the RADIUS server to authenticate the WLAN client. Thus, the WDS client AP does not communicate directly with the RADIUS server. At the end of initial Fast Secure Roaming authentication, both the WLAN client and the RADIUS server derive the Network Session Key (NSK). The RADIUS server securely communicates the derived NSK to the WDS server (Step 4). Subsequently, the WLAN client and the WDS server initiate a 4-way handshake through the WDS client AP where nonces (that is, random numbers) are exchanged to derive the Base Transient Key (BTK) and the Key Refresh Key (KRK), as shown in the figure (Step 5). For more discussion on the 802.11i (and WPA) 4-way handshake and key-derivation process, refer to Chapter 8.

As shown in Figure 9-8, the WDS server securely communicates the BTK and the refresh number (RN) to the WDS client AP (Step 6). In a SWAN-enabled wireless/wired network, the WDS server maintains the keying information (BTK, KRK, and RN) for each CCKM client. The WDS client AP and WLAN client derive the Pairwise Transient Key (PTK) as a function of the BTK. After the PTK is derived, the WDS client AP securely communicates the Group Transient Key (GTK) to the WLAN client (Step 7). See Table 9-2 for a description of keys derived during the Fast Secure Roaming initial authentication process.

Table 9-2. CCKM Key Hierarchy
Key	Description
NSK	The NSK is derived at the end of successful EAP authentication by the WLAN client and the RADIUS server.
BTK	The BTK is derived by the WDS server and the WLAN client for the purposes of deriving the actual encryption keys (such as PTK). BTK is a function nonce (that is, random number) exchanged between the WLAN client and the WDS server and NSK.
KRK	The KRK is used during the roaming process to authenticate the WLAN client to the WDS server. KRK is derived as a function of nonces (that is, random numbers) exchanged between the WLAN client and the WDS server and using the NSK.
PTK	The PTK is used to derive the encryption and MIC keys for the user data protection between the WLAN client and the AP. PTK is derived as a function of BTK, refresh number (RN), and BSSID. During the initial authentication, RN is set to 1.
GTK	The AP uses the GTK to transmit broadcast/multicast messages to the WLAN clients. The AP derives and maintains the GTK. GTK is communicated to the WLAN client using a portion of the PTK.

Figure 9-9 shows the reassociation message exchange for a fast secure roaming client. As shown in the figure, the fast secure roaming client sends an 802.11 reassociation message request authenticated using its KRK to the new AP. The new AP (that is, the client WDS AP) relays the reassociation request to the WDS server. The WDS server verifies the reassociation request using the client's KRK. If successful, the WDS server sends the client's BTK and received RN to the new AP. The new AP, in turn, uses the BTK, RN, and its Basic Service Set Identifier (BSSID) to derive the PTK. Finally, the new AP sends its GTK to the WLAN client encrypted using a portion of the PTK. At this point, a full 802.11 reassociation is executed, and the WLAN client can resume its data transfer to the new AP.

Figure 9-9. SWAN-Enabled Fast Secure Roaming

As shown in Figure 9-9, the reassociation process is expedited using the WDS server, and a total of three messages are required between the WLAN client and the new AP. Note that in the case of a non-CCKM EAP/802.1x client, a full EAP/802.1x reauthentication is required. In the case of a non-CCKM WPA client, a full EAP/802.1x reauthentication, along with 4-way handshake, is required to reassociate with the new AP. Thus, there is a significant performance improvement in using the SWAN-enabled fast secure roaming implementation for latency-sensitive applications such as VoIP.

Finally, you can deploy fast secure roaming with Cisco TKIP (CKIP) or WPA. When you deploy fast secure roaming with WPA, WPA key management is replaced with fast secure roaming key management (that is, CCKM).