Cisco Support Community
Community Member

Dynamic WEP session & broadcast key


I need to clarify the dynamic WEP key rotation mechanism.

We use PEAP MSCHAPv2 authentication in WPA migration mode with ACS3.2, AP12xx, AP113x and Windows XP SP1 native Wireless client.

On the AP we have :

dot11 ssid WLAN

vlan 10

authentication open eap eap_methods authentication network-eap eap_methods

authentication key-management wpa optional


int dot0

encryption vlan 10 mode ciphers tkip wep128

broadcast-key vlan 10 change 300 capability-change

We set on ACS the 027 RADIUS parameter : 600

So AP should change session key every 600sec and the broadcast key should be changed every 300sec. According to the Cisco AP configuration guide, broadcast keys use slots 2 and 3 and session key should be in slot 1.

If I checked the log on my windows client (netsh ras set tracing * enabled) in the EAPOL.LOG file, it seems that there are only slots 1 and 2 that are used :

[3036] 08:58:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

[1436] 09:03:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 2

[1436] 09:08:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

[1436] 09:13:12: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 2

[1436] 09:18:12: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

So I am not sure that our dynamic WEP key rotation is OK.

Is there anybody that can help me ?

Thank you



Re: Dynamic WEP session & broadcast key

In eap ( say in case of LEAP ) there are two keys generated

a) Session key : It is also call unicast key . This is for unicast traffic .

When mutual authentication gets successfull , both radius server and client independently generates this key . So this key is never trasmitted over the wireless ! This key is DYNAMIC in nature . On the radius server 027 parameter which is session timeout controls this session key timeout

b) Broadcast key : once the session key is generated on client and radius server , radius server will pass this session key to AP . Now AP generates another random key call broadcast key . If you do not want AP to generate the random key define in key1 slot so ap will use that key as bkey .

CreatePlease to create content