10-29-2008 07:01 AM - edited 07-03-2021 04:42 PM
How do you handle multiple clients (one hundred) and changed keys when using WPA? We're trying to figure out how to implement a rotating security scheme, but not sure how to do it. How do you communicate these changes to your users? Do you push the changes somehow to the client so they don't know anything changed?
Thanks!
John
10-29-2008 07:25 AM
As a rule it is handled by the controller on a preset schedule based on default timers.
10-29-2008 07:27 AM
So we would need to get a WLC to be able to manage this seamlessly for clients? We would never have to tell them that their password changed?
Thanks!!!
10-29-2008 07:36 AM
If you use preshared key then the key rotates at time intervals. The initial passphrase remains the same. You would want to change it on occasion. Select a client supplicant that allows for remote management for that.
10-29-2008 07:46 AM
Doesn't that only work for WEP though? Is there a way to do it with WPA?
10-29-2008 07:53 AM
WPA and WPA2 preshared key is allowed on the controllers. You can also select TKIP pr AES encryptions.
10-29-2008 07:56 AM
Understood, but how can I create a rotation scheme with preshared keys using WPA? Can you broadcast them like WEP keys? If so, how can I have multiple keys under an ssid? Every time I change the key, it only allows me the one under each ssid.
Thanks!
10-29-2008 08:00 AM
Thats really all you can do easily without a supplicant like the CSA. With a good supplicant you still only have one key but you can change it at will and push the change to the client devices.
10-29-2008 08:05 AM
So, in order to do this, I would have to switch back to WEP? All of my clients are using the standard Windows XP clients. Switching to WEP will only allow me to broadcast and iterate through different keys.
--John
10-29-2008 08:54 AM
No. If you have a RADIUS server configured then you don't need to use the preshared key. You will use WPA/WPA2 with some sort of EAP. You can use Cisco's version or any of the popular versions such as EAP-TTLS. WHen you use WPA/WPA2 enterprise the server verifies the authentication of the user via the 802.1x server method then periodically sends reauthentications to the device in a AES-CCMK secure method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide