Opportunistic Key Caching

• Information about Opportunistic Key Caching, on page 1

• Enabling Opportunistic Key Caching, on page 1
• Verifying Opportunistic Key Caching, on page 2

Information about Opportunistic Key Caching

Opportunistic Key Caching (OKC) is an enhancement of the WPA2 Pairwise Master Key ID (PMKID) caching
method, which is why it is also named Proactive or Opportunistic PMKID Caching. Just like PMKID caching,
OKC works with WPA2-EAP.
The OKC technique allows wireless clients and the WLAN infrastructure to cache only one PMK for client
association with a WLAN, even when roaming between multiple APs because they all share the original PMK
that is used for the WPA2 4-way handshake. This is required to generate new encryption keys every time a
client reassociates with APs. For APs to share the original PMK from a client session, they must all be under
a centralized device that caches and distributes the original PMK to all the APs.
Just as in PMKID caching, the initial association to an AP is a regular first-time authentication to the
corresponding WLAN, where you must complete the entire 802.1X/EAP authentication for the authentication
server, and the 4-way handshake for key generation, before sending data frames.
OKC is a fast roaming technique supported by Microsoft and some Android clients. Another fast roaming
method is the use of 802.11r, which is supported by Apple and few Andorid clients. OKC is enabled by default
on a WLAN. This configuration enables the control of OKC on a WLAN. Disabling OKC on a WLAN disables
the OKC even for the OKC-supported clients.
A new configuration is introduced for each WLAN in the controller in Cisco IOS XE Amsterdam 17.2.1, to
disable or enable fast and secure roaming with OKC at the corresponding AP.

Enabling Opportunistic Key Caching

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:

Opportunistic Key Caching

1
 Opportunistic Key Caching
Verifying Opportunistic Key Caching

Command or Action Purpose

Device# configure terminal

Step 2 wlan profile-name wlan-identifier <1-4096> Enters WLAN configuration submode.

ssid-network-name wlan-profile-name: Profile name of the
configured WLAN.
Example:
Device(config)# wlan wlan-profile-name
18 san-ssid

Step 3 okc Enables Opportunistic Key Caching, if not

enabled. By default, the OKC feature is enabled.
Example:
(Use the no form of this command to disable
Device(config-wlan)# okc the OKC feature.)

Verifying Opportunistic Key Caching

The following example shows how to verify whether OKC is disabled for a WLAN profile.
• Device# show wlan id 18
WLAN Profile Name : 18%wlanprofile
================================================
Identifier : 18
Description :
Network Name (SSID) : san-ssid
Status : Disabled
Broadcast SSID : Enabled
Advertise-Apname : Disabled
Universal AP Admin : Disabled
Max Associated Clients per WLAN : 0
Max Associated Clients per AP per WLAN : 0
Max Associated Clients per AP Radio per WLAN : 200
OKC : Disabled
Number of Active Clients : 0
CHD per WLAN : Enabled
WMM : Allowed
Channel Scan Defer Priority:
Priority (default) : 5
Priority (default) : 6
Scan Defer Time (msecs) : 100
Media Stream Multicast-direct : Disabled
CCX - AironetIe Support : Disabled
Peer-to-Peer Blocking Action : Disabled
Radio Policy : All

• Device# show run wlan

wlan name 2 ssid-name
wlan test 24 test
wlan test2 15 test2
wlan test4 12 testssid
radio dot11a
wlan wlan1 234 wlan1
wlan wlan2 14 wlan-aaa
security dot1x authentication-list realm
wlan wlan7 27 wlan7
wlan test23 17 test23
wlan wlan_1 4 ssid_name
security dot1x authentication-list authenticate_list_name

Opportunistic Key Caching

2
Opportunistic Key Caching
Verifying Opportunistic Key Caching

wlan wlan_3 5 ssid_3

security wpa wpa1
security wpa wpa1 ciphers aes
wlan wlan_8 9 ssid_name
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
wlan test-wlan 23 test-wlan
wlan wlan-test 1 wlan2
mac-filtering default
wlan 18%wlanprofile 18 san-ssid
no okc

Opportunistic Key Caching

3
 Opportunistic Key Caching
Verifying Opportunistic Key Caching

Opportunistic Key Caching

4