I recently configured two BR1310 Access Point/Bridges into a Root & Non-Root (without clients) configuration to extend a LAN to another building. I configured the units to use LEAP (Root acting as Radius server), authenticating with Network-EAP w/ WPA2, and AES as the encryption cipher. Being that WPA2/LEAP handle the key management, I had a question regarding best practices. I currently have configured a "dot1x timeout reauth-period" of 300 seconds, in addition a broadcast-key change of the same. I have 4 VLANs trunked over this bridge, and since I have no wireless clients associating with these bridges, I'm assuming I do not need the broadcast-key rotation. The idea is that by forcing a dot1x reauth, a new PTK/PMK will be created every 300 seconds. Is that a recommended practice?
Also, being that I have 4 VLANs trunked across these bridges, is there a way to verify (via debug?) that all VLANs traffic is being encrypted by AES? Obviously when I do a "show dot11 assoc all", only my native VLAN (mgmt) shows as AES, no other VLANs.