10-13
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Configuring Encryption Modes
Enabling and Disabling Broadcast Key Rotation
Broadcast key rotation is disabled by default.
Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation.
Broadcast key rotation is supported only when using key management (such as dynamic WEP (802.1x),
WPA with EAP, or pre-shared key).
Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface.
The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0.
The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Step3 broadcast-key
change seconds
[ vlan vlan-id ]
[ membership-termination ]
[ capability-change ]
Enable broadcast key rotation.
Enter the number of seconds between each rotation of the
broadcast key.
(Optional) Enter a VLAN for which you want to enable
broadcast key rotation.
(Optional) If you enable WPA authenticated key
management, you can enable additional circumstances
under which the access point changes and distributes the
WPA group key.
Membership termination—the access point generates
and distributes a new group key when any
authenticated client device disassociates from the
access point. This feature protects the privacy of the
group key for associated clients. However, it might
generate some overhead if clients on your network
roam frequently.
Capability change—the access point generates and
distributes a dynamic group key when the last non-key
management (static WEP) client disassociates, and it
distributes the statically configured WEP key when the
first non-key management (static WEP) client
authenticates. In WPA migration mode, this feature
significantly improves the security of
key-management capable clients when there are no
static-WEP clients associated to the access point.
See Chapter 11, “Configuring Authentication Types,” for
detailed instructions on enabling authenticated key
management.
Step4 end Return to privileged EXEC mode.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.