Multiple clients - key changes

Unanswered Question
Oct 29th, 2008

How do you handle multiple clients (one hundred) and changed keys when using WPA? We're trying to figure out how to implement a rotating security scheme, but not sure how to do it. How do you communicate these changes to your users? Do you push the changes somehow to the client so they don't know anything changed?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Wed, 10/29/2008 - 07:25

As a rule it is handled by the controller on a preset schedule based on default timers.

John Blakley Wed, 10/29/2008 - 07:27

So we would need to get a WLC to be able to manage this seamlessly for clients? We would never have to tell them that their password changed?


dennischolmes Wed, 10/29/2008 - 07:36

If you use preshared key then the key rotates at time intervals. The initial passphrase remains the same. You would want to change it on occasion. Select a client supplicant that allows for remote management for that.

John Blakley Wed, 10/29/2008 - 07:46

Doesn't that only work for WEP though? Is there a way to do it with WPA?

dennischolmes Wed, 10/29/2008 - 07:53

WPA and WPA2 preshared key is allowed on the controllers. You can also select TKIP pr AES encryptions.

John Blakley Wed, 10/29/2008 - 07:56

Understood, but how can I create a rotation scheme with preshared keys using WPA? Can you broadcast them like WEP keys? If so, how can I have multiple keys under an ssid? Every time I change the key, it only allows me the one under each ssid.


dennischolmes Wed, 10/29/2008 - 08:00

Thats really all you can do easily without a supplicant like the CSA. With a good supplicant you still only have one key but you can change it at will and push the change to the client devices.

John Blakley Wed, 10/29/2008 - 08:05

So, in order to do this, I would have to switch back to WEP? All of my clients are using the standard Windows XP clients. Switching to WEP will only allow me to broadcast and iterate through different keys.


dennischolmes Wed, 10/29/2008 - 08:54

No. If you have a RADIUS server configured then you don't need to use the preshared key. You will use WPA/WPA2 with some sort of EAP. You can use Cisco's version or any of the popular versions such as EAP-TTLS. WHen you use WPA/WPA2 enterprise the server verifies the authentication of the user via the 802.1x server method then periodically sends reauthentications to the device in a AES-CCMK secure method.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode