Cisco Support Community
Community Member

New WLAN in 7.2 WLC WPA gtk-randomize State?

What does the option WPA gtk-randomize State do when configuring Layer 2 Security under a new WLAN in a WLC (Code level 7.2)?


Cisco Employee

New WLAN in 7.2 WLC WPA gtk-randomize State?

This feature provides a config option to configure the GTK randomization on the WLAN. 
By default GTK randomization is disabled on the WLAN (default behavior).
When enabled, GTK should be randomized for each client of the BSS.
When this is enabled, the client should not be able to decrypt the broadcast and multicast packets received.
This feature addresses the "Hole196" security vulnerability.

New WLAN in 7.2 WLC WPA gtk-randomize State?

Correct, for the benifit of Jacob.

Unicast traffic is encrypted with the PTK key, which is unique per user. Each user has a different key and this key changes each time you authenticate to the network.

Broadcast and Multicast traffic is encrypted with the GTK key, which is shared by each client associated to said access point.

Although hole196 is a legit security hole. You have to be a trusted user to use it, meaning you need to be on  the inside of the network already. If you are already in the network, why hack 196 ?

Make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Community Member

New WLAN in 7.2 WLC WPA gtk-randomize State?

I know this is an inside only attack but a lot of attacks already happen from the inside. Attacks are not always to gain access to a network to use it but to steal information from other trusted users.

In our environment, a University, we feel that this inside attack is very real especially when running ethical hacking courses which probably cover such attacks. Some students will try these attacks out on the most convenient network they have available, ours. So although the user must already have access to our WLAN it doesn't mean that an attack will not happen.

We have a lot of "trusted" users, about 20,000, but to be honest I don't trust any of them.

Community Member

Can anyone please explain how

Can anyone please explain how this feature works?

GTK has to be known to every STA to let them decrypt broadcast/multicast traffic. What does actually GTK randomize means? If every client get GTK randomized, doesn't it break the logic of broadcast/multicast? Does it mean both types of traffic become unicast if this checkbox is enabled?


CreatePlease to create content