Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
1
Replies

Dynamic WEP session & broadcast key

gauthrayj
Level 1
Level 1

‎05-04-2006 01:09 AM - edited ‎07-04-2021 12:03 PM

Hello,

I need to clarify the dynamic WEP key rotation mechanism.

We use PEAP MSCHAPv2 authentication in WPA migration mode with ACS3.2, AP12xx, AP113x and Windows XP SP1 native Wireless client.

On the AP we have :

dot11 ssid WLAN

vlan 10

authentication open eap eap_methods authentication network-eap eap_methods

authentication key-management wpa optional

[..]

int dot0

encryption vlan 10 mode ciphers tkip wep128

broadcast-key vlan 10 change 300 capability-change

We set on ACS the 027 RADIUS parameter : 600

So AP should change session key every 600sec and the broadcast key should be changed every 300sec. According to the Cisco AP configuration guide, broadcast keys use slots 2 and 3 and session key should be in slot 1.

If I checked the log on my windows client (netsh ras set tracing * enabled) in the EAPOL.LOG file, it seems that there are only slots 1 and 2 that are used :

[3036] 08:58:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

[1436] 09:03:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 2

[1436] 09:08:13: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

[1436] 09:13:12: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 2

[1436] 09:18:12: ProcessReceivedPacket: == EAPOL_Key

KeyIndex = 1

So I am not sure that our dynamic WEP key rotation is OK.

Is there anybody that can help me ?

Thank you

Regards

Labels:
0 Helpful
1 Reply 1

aghaznavi
Level 5
Level 5

‎05-10-2006 09:08 AM

In eap ( say in case of LEAP ) there are two keys generated

a) Session key : It is also call unicast key . This is for unicast traffic .

When mutual authentication gets successfull , both radius server and client independently generates this key . So this key is never trasmitted over the wireless ! This key is DYNAMIC in nature . On the radius server 027 parameter which is session timeout controls this session key timeout

b) Broadcast key : once the session key is generated on client and radius server , radius server will pass this session key to AP . Now AP generates another random key call broadcast key . If you do not want AP to generate the random key define in key1 slot so ap will use that key as bkey .

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card