Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

dot1x/PEAP and dynamic WEP-keys


We have a test with an ACS 3.2, 1100 AP and run PEAP for authentication. I have read that it is possible to deliver dynamic WEP-keys from the aaa-server to the client but not sure how and how to verify..


ACS with PEAP enabled (works fine)


- XP with 350-card

- PEAP conf

- Data encr. WEP

- Key is provided for me autom.


interface Dot11Radio0

no ip address

no ip route-cache


encryption key xxxx size 40bitxxxxxtransmit-key

encryption mode wep mandatory


broadcast-key capability-change



ssid testssid

authentication open eap peap

So, the question is, perhaps stupid!,,, is the key that´s configured in the AP the only WEP-key and there is no dynamic key-delivery from the ACS. Belive so...:-) How to enable the automatic key/rotating key from the ACS?

Need some help on this one, haven's found any good stuff on CCO.




Re: dot1x/PEAP and dynamic WEP-keys

You can configure "Broadcast WEP Key rotation interval " under the radio's advanced properties to enable WEP key rotation LEAP currently. This is not supported for PEAP currently.

Community Member

Re: dot1x/PEAP and dynamic WEP-keys

As I understand it, there are two types of key rotation, bradcast and unicast. Broadcast key rotation rotates ONLY the keys that are manually entered into the AP to protect the AP's broadcast traffic. Unicast keys (as in TKIP's per packet keying) are unique to each client.

I'm sorry I can't remember the command to actually see verification of unicast key rotation but one of the debug commands will log a message when the keys are changed. Look through some of the debug choices on the AP at the CLI. Hope some of this helps.

Community Member

Re: dot1x/PEAP and dynamic WEP-keys


Using PEAP as EAP method authentication on WLAN are you sure that Dynamic WEP Key is not currently supported???

I'm using a 3rd party EAP supplicant configured for PEAP with automatic WEP key. On my AP I've not defined a WEP Key but my client is still be able to be authenticated and associated...

Community Member

Re: dot1x/PEAP and dynamic WEP-keys


I haven't actually tried this but I've read about it so you'll have to try it out and let us know if it works :)

The two "encryption" commands that you have above are used to configure static WEP keys. EAP authentication also allows for dynamic WEP key management. To do this, you have to turn on a "key management" function. Cisco offers 2: CCKM and WPA. CCKM is used with Cisco's WDS. WPA is the WiFi implementation that uses TKIP for encryption. Under each the RADIUS server should create the WEP keys dynamically and pass them to the AP.

With CCKM, configure "encryption mode ciphers wep128" under the radio interface and "authentication key-management cckm" under the SSID. Other ciphers such as CKIP+CMIC are available. Configure this on top of the auth command you already have. You can remove your 2 encryption commands. The broadcast-key command will take care of rotating your broadcast WEP keys.

For WPA & TKIP it's similar. Use "encryption mode ciphers tkip" and "authentication key-management wpa".

I hope this helps.


CreatePlease to create content