Cisco WLC Now Supports PMK Caching, Finally!

I was sifting through the newly released Cisco release notes in order to update the feature enhancements that I posted about over at the NSAShow website from the brief availability of version Given my recent article on Wi-Fi Roaming Complexity that included a breakdown of the various types of roaming that exist, I thought it would be pertinent to point out the addition of Static PMK Caching support in the latest version of Cisco WLC code.

From the Cisco WLC Release Notes:

Most client devices only support Static PMK Caching and not Proactive / Opportunistic Key Caching (PKC/OKC). This includes common enterprise devices including Windows 7 and ruggedized mobile devices from Motorola (to name a few).

But Cisco WLCs never supported static PMK caching, only OKC/PKC. This is something that our wireless team went back and forth with Cisco on a few years ago when we were running version 4.2 code. We were testing our Motorola mobile devices as part of our change management process to verify correct operation and performance with a configuration change from WPA-TKIP to WPA2-AES. Previously, we had been using CCKM for fast roaming, but Motorola did not have CCKM support for WPA2. In our traces we would see static PMK caching roams a large percentage of the time. Talking with our Advanced Services support rep. and reading Cisco documentation, we should NOT have been seeing this occur. The only official support within a WLC was for OKC/PKC.

After about a dozen calls with Cisco TAC, trace files being shared, and additional verification, TAC's response was that the WLC actually had enough information to re-assemble the PMKID the client was sending for each individual AP. It wasn't storing it, but was able to regenerate it from other information that was being kept on the client session. So static PMK caching was actually working, but they could not support it. The reason cited was due to memory concerns if they had to cache individual encryption keys for every client on every AP they visited, which could grow quite large. Given a large enough AP deployment and enough clients, I understand this concern.

It was just an interesting case in something working that shouldn't have been :)

With version, it's finally nice to see official support for static PMK caching, even though it was working before. I wonder if I execute a "show pmk-cache all" command on a WLC if I'll see multiple entries per wireless client now? I'll have to test in the lab to find out!