Hi All,

In an AP, the broadcast-key change <value> command tells the AP how often to rotate the WPA key.  My question: How do clients remain connected to the Wireless LAN when the key rotates?  If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different?  The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption.  Is this correct?

Here is my config, if interested:

aaa new-model

!

!

aaa group server radius employee-clients

server 10.255.255.250 auth-port 1645 acct-port 1646

!

aaa authentication login console local

aaa authentication login net-admin local

aaa authentication login eap_methods group employee-clients

aaa authorization exec default local

!

aaa session-id common

!

dot11 ssid WLAN-Local

   vlan 20

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

!

!

interface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 20 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 300

!

radius-server host 10.255.255.250 auth-port 1645 acct-port 1646 key <key>