Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Multiple clients - key changes

How do you handle multiple clients (one hundred) and changed keys when using WPA? We're trying to figure out how to implement a rotating security scheme, but not sure how to do it. How do you communicate these changes to your users? Do you push the changes somehow to the client so they don't know anything changed?

Thanks!

John

HTH, John *** Please rate all useful posts ***
  • Other Wireless - Mobility Subjects
9 REPLIES

Re: Multiple clients - key changes

As a rule it is handled by the controller on a preset schedule based on default timers.

Re: Multiple clients - key changes

So we would need to get a WLC to be able to manage this seamlessly for clients? We would never have to tell them that their password changed?

Thanks!!!

HTH, John *** Please rate all useful posts ***

Re: Multiple clients - key changes

If you use preshared key then the key rotates at time intervals. The initial passphrase remains the same. You would want to change it on occasion. Select a client supplicant that allows for remote management for that.

Re: Multiple clients - key changes

Doesn't that only work for WEP though? Is there a way to do it with WPA?

HTH, John *** Please rate all useful posts ***

Re: Multiple clients - key changes

WPA and WPA2 preshared key is allowed on the controllers. You can also select TKIP pr AES encryptions.

Re: Multiple clients - key changes

Understood, but how can I create a rotation scheme with preshared keys using WPA? Can you broadcast them like WEP keys? If so, how can I have multiple keys under an ssid? Every time I change the key, it only allows me the one under each ssid.

Thanks!

HTH, John *** Please rate all useful posts ***

Re: Multiple clients - key changes

Thats really all you can do easily without a supplicant like the CSA. With a good supplicant you still only have one key but you can change it at will and push the change to the client devices.

Re: Multiple clients - key changes

So, in order to do this, I would have to switch back to WEP? All of my clients are using the standard Windows XP clients. Switching to WEP will only allow me to broadcast and iterate through different keys.

--John

HTH, John *** Please rate all useful posts ***

Re: Multiple clients - key changes

No. If you have a RADIUS server configured then you don't need to use the preshared key. You will use WPA/WPA2 with some sort of EAP. You can use Cisco's version or any of the popular versions such as EAP-TTLS. WHen you use WPA/WPA2 enterprise the server verifies the authentication of the user via the 802.1x server method then periodically sends reauthentications to the device in a AES-CCMK secure method.

196
Views
0
Helpful
9
Replies
This widget could not be displayed.