How do you handle multiple clients (one hundred) and changed keys when using WPA? We're trying to figure out how to implement a rotating security scheme, but not sure how to do it. How do you communicate these changes to your users? Do you push the changes somehow to the client so they don't know anything changed?
So we would need to get a WLC to be able to manage this seamlessly for clients? We would never have to tell them that their password changed?
If you use preshared key then the key rotates at time intervals. The initial passphrase remains the same. You would want to change it on occasion. Select a client supplicant that allows for remote management for that.
Understood, but how can I create a rotation scheme with preshared keys using WPA? Can you broadcast them like WEP keys? If so, how can I have multiple keys under an ssid? Every time I change the key, it only allows me the one under each ssid.
Thats really all you can do easily without a supplicant like the CSA. With a good supplicant you still only have one key but you can change it at will and push the change to the client devices.
So, in order to do this, I would have to switch back to WEP? All of my clients are using the standard Windows XP clients. Switching to WEP will only allow me to broadcast and iterate through different keys.
No. If you have a RADIUS server configured then you don't need to use the preshared key. You will use WPA/WPA2 with some sort of EAP. You can use Cisco's version or any of the popular versions such as EAP-TTLS. WHen you use WPA/WPA2 enterprise the server verifies the authentication of the user via the 802.1x server method then periodically sends reauthentications to the device in a AES-CCMK secure method.