Motorola WiNG 5.7.1 System Reference Manual page 490

6 - 20 WiNG 5.7.1 Access Point System Reference Guide
Frequent rotating of these keys is recommended so that a potential hacker would not have enough data using a single key
to attack the deployed encryption scheme.
Unicast Rotation Interval
Broadcast Rotation
Interval
9. Define the Fast Roaming
802.11i can speed up the roaming process from one access point to another. Instead of doing a complete 802.1x
authentication each time a client roams between access points, 802.11i allows a client to re-use previous PMK
authentication credentials and perform a four-way handshake. This speeds up the roaming process. In addition to reusing
PMKs on previously visited access points, Opportunistic Key Caching allows multiple access points to share PMKs amongst
themselves. This allows a client to roam to an access point it has not previously visited and reuse a PMK to skip 802.1x
authentication.
Pre-Authentication
Pairwise Master Key
(PMK) Caching
Opportunistic Key
Caching
10. Set the following
TKIP Countermeasure
Hold Time
Define a unicast key transmission interval from 30 - 86,400 seconds. Some clients have
issues using unicast key rotation, so ensure you know which clients are impacted before
using unicast keys. This value is disabled by default.
When enabled, the key indices used for encrypting/decrypting broadcast traffic will be
alternatively rotated based on the defined interval. Define a broadcast key transmission
interval from 30 - 86,400 seconds. Key rotation enhances the broadcast traffic security on
the WLAN. This value is disabled by default.
configuration used only with 802.1x EAP-WPA/WPA2 authentication.
NOTE: Fast Roaming is available only when the authentication is EAP or EAP-PSK and
the selected encryption is either TKIP-CCMP or WPA2-CCMP.
Selecting this option enables an associated client to carry out an 802.1x authentication
with another access point before it roams to it. This enables a roaming client to send and
receive data sooner by not having to conduct an 802.1x authentication after roaming.
With pre-authentication, a client can perform an 802.1X authentication with other
detected access points while still connected to its current access points. When a device
roams to a neighboring access points, the device is already authenticated, thus providing
faster re-association.
Pairwise Master Key (PMK) Caching is a technique for sidestepping the need to
re-establish security each time a client roams to a different switch. Using PMK caching,
clients and switches cache the results of 802.1X authentications. Therefore, access is
much faster when a client roams back to a switch to which the client is already
authenticated.
This option enables the access point to use a PMK derived with a client on one access
point, with the same client when it roams over to another access point. Upon roaming,
the client does not have to do 802.1x authentication and can start sending and receiving
data sooner.
Advanced for the WPA2-CCMP encryption scheme:
The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP
countermeasures have been invoked on the WLAN. Use the drop-down menu to define a
value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting
is 1 minute.