WPA Key Rotation Question

Dean Romanelli · ‎10-01-2013

Hi All,

In an AP, the broadcast-key change <value> command tells the AP how often to rotate the WPA key. My question: How do clients remain connected to the Wireless LAN when the key rotates? If the client authenticates (via Radius in my example below), then I would think the key challenge would need to be met. However, if in 5 minutes the key rotates, for example, isn't the client going to lose connection since the challenge value is now different? The only thing I can think of is that Radius handles this dynamically once a client is authenticated, thus avoiding any disruption. Is this correct?

Here is my config, if interested:

aaa new-model

!

aaa group server radius employee-clients

server 10.255.255.250 auth-port 1645 acct-port 1646

!

aaa authentication login console local

aaa authentication login net-admin local

aaa authentication login eap_methods group employee-clients

aaa authorization exec default local

!

aaa session-id common

!

dot11 ssid WLAN-Local

vlan 20

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

!

interface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 20 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 300

!

radius-server host 10.255.255.250 auth-port 1645 acct-port 1646 key <key>

Abha Jha · ‎10-01-2013

All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command ( broadcast-key vlan # change #) on the radio interface. . but the WPA cypher key which keeps on changing after some interval is to encrypt the data with different differnt keys so that it wil be difficult to be cracked/decrypt and not for reauthentication of clients.

http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/wireless.pdf