cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13716
Views
0
Helpful
4
Replies

WPA2 default key renewal

Patrick McHenry
Level 4
Level 4

Hi,

After a device has authenticated to the wireless network using dot1X, how often are the WPA2 keys renewed by default?

Thanks, Pat.

1 Accepted Solution

Accepted Solutions

Stephen Rodriguez
Cisco Employee
Cisco Employee

I want to say it's 3600 seconds by default.  But you can force the broadcast key to rotate

config advanced eap bcast-key-interval ?

      Enter the number of seconds between 120 and 86400

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

4 Replies 4

Stephen Rodriguez
Cisco Employee
Cisco Employee

I want to say it's 3600 seconds by default.  But you can force the broadcast key to rotate

config advanced eap bcast-key-interval ?

      Enter the number of seconds between 120 and 86400

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Well this is a loaded question.

Session timeout is one function that will cause the key to get relaoded. Also in the radius server i think there is a timer there as well.

But to be clear there are 2 keys that are independedent of each other.

PTK Keys and GTK keys

PTK keys encrypt 802.11 UNICAST traffic while the GTK keys encrypt multicast and broadcast traffic and is AP specific. Also ALL clients on a ap share the IDENTICAL GTK key.

Also when you roam new PTK keys are created at each AP.

Or unless you are talking about the PMK. This is EAP specific and the session timeout regenerates this key.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

only half loaded.  the WLC is supposed to ignore the WLAN session timer, and use the WPA key lifetime.  you can see it in a client debug

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hi Steve!

Well when a client connects and you do a show PMK cache you can see the session timout and when it hois zero the client is deauthenticated and a new PMK is created which then in turn generates a new PTK becuase of the new seeding material of the PMK.

Are you saying this isnt accurate based on your expereince ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Review Cisco Networking for a $25 gift card