WPA Key Rotation Question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2013 08:30 AM - edited 07-04-2021 12:59 AM
Hi All,
In an AP, the broadcast-key change <value> command tells the AP how often to rotate the WPA key. My question: How do clients remain connected to the Wireless LAN when the key rotates? If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different? The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption. Is this correct?
Here is my config, if interested:
aaa new-model
!
!
aaa group server radius employee-clients
server 10.255.255.250 auth-port 1645 acct-port 1646
!
aaa authentication login console local
aaa authentication login net-admin local
aaa authentication login eap_methods group employee-clients
aaa authorization exec default local
!
aaa session-id common
!
dot11 ssid WLAN-Local
vlan 20
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
!
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 20 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 300
!
radius-server host 10.255.255.250 auth-port 1645 acct-port 1646 key <key>
- Labels:
-
Wireless Security

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2013 12:01 PM
All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.
http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf
