Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA Key Rotation Question

Hi All,

In an AP, the broadcast-key change <value> command tells the AP how often to rotate the WPA key.  My question: How do clients remain connected to the Wireless LAN when the key rotates?  If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different?  The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption.  Is this correct?

Here is my config, if interested:

aaa new-model



aaa group server radius employee-clients

server auth-port 1645 acct-port 1646


aaa authentication login console local

aaa authentication login net-admin local

aaa authentication login eap_methods group employee-clients

aaa authorization exec default local


aaa session-id common


dot11 ssid WLAN-Local

   vlan 20

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa



interface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 20 mode ciphers aes-ccm


broadcast-key vlan 1 change 300


radius-server host auth-port 1645 acct-port 1646 key <key>

Cisco Employee

WPA Key Rotation Question

All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.

CreatePlease to create content