cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
624
Views
0
Helpful
9
Replies

Multiple clients - key changes

John Blakley
VIP Alumni
VIP Alumni

How do you handle multiple clients (one hundred) and changed keys when using WPA? We're trying to figure out how to implement a rotating security scheme, but not sure how to do it. How do you communicate these changes to your users? Do you push the changes somehow to the client so they don't know anything changed?

Thanks!

John

HTH, John *** Please rate all useful posts ***
9 Replies 9

dennischolmes
Level 7
Level 7

As a rule it is handled by the controller on a preset schedule based on default timers.

So we would need to get a WLC to be able to manage this seamlessly for clients? We would never have to tell them that their password changed?

Thanks!!!

HTH, John *** Please rate all useful posts ***

If you use preshared key then the key rotates at time intervals. The initial passphrase remains the same. You would want to change it on occasion. Select a client supplicant that allows for remote management for that.

Doesn't that only work for WEP though? Is there a way to do it with WPA?

HTH, John *** Please rate all useful posts ***

WPA and WPA2 preshared key is allowed on the controllers. You can also select TKIP pr AES encryptions.

Understood, but how can I create a rotation scheme with preshared keys using WPA? Can you broadcast them like WEP keys? If so, how can I have multiple keys under an ssid? Every time I change the key, it only allows me the one under each ssid.

Thanks!

HTH, John *** Please rate all useful posts ***

Thats really all you can do easily without a supplicant like the CSA. With a good supplicant you still only have one key but you can change it at will and push the change to the client devices.

So, in order to do this, I would have to switch back to WEP? All of my clients are using the standard Windows XP clients. Switching to WEP will only allow me to broadcast and iterate through different keys.

--John

HTH, John *** Please rate all useful posts ***

No. If you have a RADIUS server configured then you don't need to use the preshared key. You will use WPA/WPA2 with some sort of EAP. You can use Cisco's version or any of the popular versions such as EAP-TTLS. WHen you use WPA/WPA2 enterprise the server verifies the authentication of the user via the 802.1x server method then periodically sends reauthentications to the device in a AES-CCMK secure method.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: