Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA Key Rotation Question

Hi All,

In an AP, the broadcast-key change <value> command tells the AP how often to rotate the WPA key.  My question: How do clients remain connected to the Wireless LAN when the key rotates?  If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different?  The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption.  Is this correct?

Here is my config, if interested:

aaa new-model

!

!

aaa group server radius employee-clients

server 10.255.255.250 auth-port 1645 acct-port 1646

!

aaa authentication login console local

aaa authentication login net-admin local

aaa authentication login eap_methods group employee-clients

aaa authorization exec default local

!

aaa session-id common

!

dot11 ssid WLAN-Local

   vlan 20

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

!

!

interface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 20 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 300

!

radius-server host 10.255.255.250 auth-port 1645 acct-port 1646 key <key>

1 REPLY
Cisco Employee

WPA Key Rotation Question

All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.

http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf

473
Views
0
Helpful
1
Replies
CreatePlease to create content