Special dedication to Kyle, he is the one who raised this issue and found the solution.... :-)
So here is the deal: when you use WPA or WPA2, your wireless client gets 2 keys: one unicast key, for its own traffic to and from the AP, and one broadcast key, which is a common key for all clients in the same cell. This broadcast key is used when the AP sends broadcast messages to all clients in the cell, so it's a shared key.
You may want to rotate those keys, change them every now and then so that a wannabee hacker would not have enough packets using a specific key to even dream of running an attack against your encryption scheme.
Changing the unicast key can be done by setting the EAP session, everytime the session is renewed, so is the unicast key... but the broadcast key is not, because it is shared. On the autonomous APs, you can rotate the broadcast keys from the Security > Encryption Manager page:
You can enable rotation at regular intervals. The gotcha here is that only 802.1X clients can join a network that has this feature enabled.
When using WPA, you can also enable key rotation "on membership termination" (every time a client leaves the cell, the key is rotated for the clients still in the cell), or on "membership capability change" (everytime a client using static WEP enters or leaves the cell, the key is rotated).
Ok, but what about the controllers? How to rotate the broadcast key on the WLC? There is no checkbox, and no CLI command for that... the key is rotated every hour... what? I want this feature for my clients security!!
Kyle found this nice info:
CSCsi27596—The controller lacks a supported way to configure the broadcast key rotation interval. Instead, it is hardcoded to a group key rotation interval of 3600 seconds (1 hour).
Workaround: On the console, configure the hidden command devshell dot1xUpdateBroadcastRekeyTimer(seconds). This command does not work in an SSH or Telnet session and does not survive a reboot.
value = 0 = 0x0I dreamed of it because the example, instead of rotating the key every hour, seems to rotates it every... day (unless 8600 is the max value)! Wow, nice and a lot more secure!
I hope you don't need that for the lab, because this is pushing the system to its limit (and I hope you won't dream of it), but it is fun to know (or at least to know where to find it)...
:-)
Is there a way we can have the unicast key rotation set for the clients at regular intervals( without the full authentication occuring) rather than just the broadcast key. We have this option on the Aruba gear. I am just curious whether we can achieve the same on Cisco.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteYes and no! In fact, Cisco is just following the 802.11-2007 standard, by which the unicast key is rotated by renewing the session (this is not what the aruba gear does, it regenerates the key, not the PMK).
ReplyDeleteOn an autonomous AP, you would type:
dot1x timeout reauth-period
On a controller, you would go to WLANs > Advanced > Enable Session Timeout. You can also use the config wlan session-timeout CLI command.
You can also limit the session from the RADIUS side of course, which would work with any solution without any configuration on the AP/WLC, Cisco or other vendor (as long as AAA override is enabled)...
I doubt that Cisco will ever enable WPA unicast key rotation to be manually configured, because WPA is getting obsolete (Wi-Fi Alliance will stop certifying WPA products starting next January, WPA does not support 802.11n, so it is going out of the picture soon)...
IMHO, allowing the user/admin to configure key rotation for WPA2 is more a gadget than anything else (not sure what the practical advantage would be)... just a thought, and I am not Cisco WNBU, but I would not be surprised if most of the guys in the WNBU had the same view...
:-)
Hello
ReplyDelete"I dreamed of it because the example, instead of rotating the key every hour, seems to rotates it every... day (unless 8600 is the max value)! Wow, nice and a lot more secure! "
How can it be a lot more secure? Rotating key every day is more secure than rotating key every hour or every minute? ... :)
Has this command been deprecated? It doesn't seem to work on 7.x.
ReplyDeleteYes it is... the devshell hidden command family was deprecated on 7.x, because "it presents a security risk"... looks like someone didn't like devshell ending up on Google. :-(
ReplyDeleteFor those looking for the command, it is now (as of 7.0.220.0, possibly sooner) available as "config advanced eap bcast-key-interval <120-86400>". I don't see it listed in the command reference guides, but it shows it when you type "config advanced eap ?". The configuration can be confirmed using the "show advanced eap" command.
ReplyDeleteSo, no need for the devshell anymore for this.
@Anonymous from 2011/09/30: Daily rotation can be more secure than hourly. As an example: someone is sniffing packets from the air, in order to crack the key, they need x number of packets that include the actual handshake. If the rotation happens every hour, then so does the handshake. If it happens daily, then it will take y number of days (rather than y number of hours) for there to be enough handshakes collected to reverse the encryption of the key so that one has the unencrypted key to connect.
ReplyDeletemmm what handshake? GTK is transmitted to each client individually using individual client PTK, so there is no broadcast handshake here... plus the GTK is rotated on controllers every time a client leaves, as per 802.11i, so unless there is only one client, the GTK is going to be rotated often anyway... keeping the key longer only gives more chances to hole196 attacks IMHO...
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHay i have a doubt!
ReplyDeleteIf i set the GTK renewal to 60 seconds in the AP, how the client in the network get to know about the updated GTK everytime. Whether an EAPOL packet is transmitted from AP to client on each renewal?
While Packet Sniffing, i was not able to capture those packets. I wish to read the specified GTK renewal packet.
Truly the best blog I never got such information before this thanks.
ReplyDeleteZero Up 2.0
https://saglamproxy.com
ReplyDeletemetin2 proxy
proxy satın al
knight online proxy
mobil proxy satın al
DF2FJ
Adana
ReplyDeleteElazığ
Kayseri
Şırnak
Antep
FKD
Erzurum
ReplyDeleteElazığ
Konya
Zonguldak
Eskişehir
OA6
çankırı
ReplyDeleteelazığ
antep
ağrı
van
DBLE8
0014D
ReplyDeleteAfyon Şehir İçi Nakliyat
Karabük Lojistik
Bitlis Şehir İçi Nakliyat
Manisa Evden Eve Nakliyat
Lbank Güvenilir mi
Diyarbakır Parça Eşya Taşıma
Artvin Şehir İçi Nakliyat
Urfa Şehir İçi Nakliyat
Karaman Lojistik
D031E
ReplyDeleteİzmir Parça Eşya Taşıma
Antalya Parça Eşya Taşıma
Tokat Şehirler Arası Nakliyat
Denizli Evden Eve Nakliyat
Siirt Şehirler Arası Nakliyat
Çerkezköy Ekspertiz
Antep Şehir İçi Nakliyat
İzmir Şehirler Arası Nakliyat
Ardahan Lojistik
FD155
ReplyDeletesustanon
buy testosterone propionat
Manisa Evden Eve Nakliyat
Sinop Evden Eve Nakliyat
buy anapolon oxymetholone
order sarms
clenbuterol for sale
Silivri Evden Eve Nakliyat
Silivri Fayans Ustası
7C7B9
ReplyDelete%20 komisyon indirimi
56174
ReplyDeletesiirt sohbet siteleri
erzurum en iyi görüntülü sohbet uygulamaları
ucretsiz sohbet
diyarbakır nanytoo sohbet
sesli görüntülü sohbet
canlı sohbet siteleri
sohbet sitesi
samsun nanytoo sohbet
hatay kızlarla canlı sohbet
BBF62
ReplyDeleterastgele canlı sohbet
canlı sohbet ücretsiz
bingöl canlı sohbet siteleri
karabük canli sohbet
kastamonu parasız görüntülü sohbet uygulamaları
Bilecik Mobil Sohbet Chat
Tunceli Canli Sohbet Bedava
antep görüntülü sohbet uygulama
aydın görüntülü sohbet kadınlarla
25CF0
ReplyDeleteMefa Coin Hangi Borsada
Periscope Takipçi Satın Al
Alyattes Coin Hangi Borsada
Kripto Para Nasıl Oynanır
Bitcoin Nasıl Oynanır
Aptos Coin Hangi Borsada
Facebook Sayfa Beğeni Satın Al
Likee App Takipçi Hilesi
Spotify Dinlenme Satın Al