05-04-2006 01:09 AM - edited 07-04-2021 12:03 PM
Hello,
I need to clarify the dynamic WEP key rotation mechanism.
We use PEAP MSCHAPv2 authentication in WPA migration mode with ACS3.2, AP12xx, AP113x and Windows XP SP1 native Wireless client.
On the AP we have :
dot11 ssid WLAN
vlan 10
authentication open eap eap_methods authentication network-eap eap_methods
authentication key-management wpa optional
[..]
int dot0
encryption vlan 10 mode ciphers tkip wep128
broadcast-key vlan 10 change 300 capability-change
We set on ACS the 027 RADIUS parameter : 600
So AP should change session key every 600sec and the broadcast key should be changed every 300sec. According to the Cisco AP configuration guide, broadcast keys use slots 2 and 3 and session key should be in slot 1.
If I checked the log on my windows client (netsh ras set tracing * enabled) in the EAPOL.LOG file, it seems that there are only slots 1 and 2 that are used :
[3036] 08:58:13: ProcessReceivedPacket: == EAPOL_Key
KeyIndex = 1
[1436] 09:03:13: ProcessReceivedPacket: == EAPOL_Key
KeyIndex = 2
[1436] 09:08:13: ProcessReceivedPacket: == EAPOL_Key
KeyIndex = 1
[1436] 09:13:12: ProcessReceivedPacket: == EAPOL_Key
KeyIndex = 2
[1436] 09:18:12: ProcessReceivedPacket: == EAPOL_Key
KeyIndex = 1
So I am not sure that our dynamic WEP key rotation is OK.
Is there anybody that can help me ?
Thank you
Regards
05-10-2006 09:08 AM
In eap ( say in case of LEAP ) there are two keys generated
a) Session key : It is also call unicast key . This is for unicast traffic .
When mutual authentication gets successfull , both radius server and client independently generates this key . So this key is never trasmitted over the wireless ! This key is DYNAMIC in nature . On the radius server 027 parameter which is session timeout controls this session key timeout
b) Broadcast key : once the session key is generated on client and radius server , radius server will pass this session key to AP . Now AP generates another random key call broadcast key . If you do not want AP to generate the random key define in key1 slot so ap will use that key as bkey .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide