https://community.cisco.com/t5/wireless/wpa-key-rotation-question/m-p/2301991#M143570 <HTML><HEAD></HEAD><BODY><P>All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf">http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf</A></P></BODY></HTML> Tue, 01 Oct 2013 19:01:02 GMT Abha Jha 2013-10-01T19:01:02Z https://community.cisco.com/t5/wireless/wpa-key-rotation-question/m-p/2301990#M143569 <P>Hi All,</P><P></P><P>In an AP, the broadcast-key change &lt;value&gt; command tells the AP how often to rotate the WPA key.&nbsp; <STRONG>My question: How do clients remain connected to the Wireless LAN when the key rotates?&nbsp; If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different?</STRONG>&nbsp; The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption.&nbsp; Is this correct?</P><P></P><P></P><P></P><P>Here is my config, if interested:</P><P></P><P><EM>aaa new-model</EM></P><P><EM>!</EM></P><P><EM>!</EM></P><P><EM>aaa group server radius employee-clients</EM></P><P><EM> server 10.255.255.250 auth-port 1645 acct-port 1646</EM></P><P><EM>!</EM></P><P><EM>aaa authentication login console local</EM></P><P><EM>aaa authentication login net-admin local</EM></P><P><EM>aaa authentication login eap_methods group employee-clients</EM></P><P><EM>aaa authorization exec default local </EM></P><P><EM>!</EM></P><P><EM>aaa session-id common</EM></P><P><EM>!</EM></P><P><EM>dot11 ssid WLAN-Local</EM></P><P><EM>&nbsp;&nbsp; vlan 20</EM></P><P><EM>&nbsp;&nbsp; authentication open eap eap_methods </EM></P><P><EM>&nbsp;&nbsp; authentication network-eap eap_methods </EM></P><P><EM>&nbsp;&nbsp; authentication key-management wpa</EM></P><P><EM>!</EM></P><P><EM>!</EM></P><P><EM>interface Dot11Radio0</EM></P><P><EM> no ip address</EM></P><P><EM> no ip route-cache</EM></P><P><EM> encryption vlan 20 mode ciphers aes-ccm </EM></P><P><EM>!</EM></P><P><EM> broadcast-key vlan 1 change 300</EM></P><P><EM>!</EM></P><P><EM>radius-server host 10.255.255.250 auth-port 1645 acct-port 1646 key &lt;key&gt;</EM></P> Sun, 04 Jul 2021 07:59:05 GMT https://community.cisco.com/t5/wireless/wpa-key-rotation-question/m-p/2301990#M143569 Dean Romanelli 2021-07-04T07:59:05Z https://community.cisco.com/t5/wireless/wpa-key-rotation-question/m-p/2301991#M143570 <HTML><HEAD></HEAD><BODY><P>All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf">http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf</A></P></BODY></HTML> Tue, 01 Oct 2013 19:01:02 GMT https://community.cisco.com/t5/wireless/wpa-key-rotation-question/m-p/2301991#M143570 Abha Jha 2013-10-01T19:01:02Z