Motorola Solutions WiNG 5.2.6 Reference Manual page 282

6 - 20 WiNG 5.2.6 Access Point System Reference Guide
6. Define Key Rotation
Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to
multiple devices. When using WPA2-CCMP, a wireless client can use 2 keys: one unicast key, for its own traffic
to and from an AP, and one broadcast key, the common key for clients in that subnet.
Motorola Solutions Solutions recommends rotating these keys so a potential hacker would not have enough data
using a single key to attack the deployed encryption scheme.
Unicast Rotation
Interval
Broadcast Rotation
Interval
7. Define the
802.11i can speed up the roaming process from one AP to another. Instead of doing a complete 802.1x
authentication each time a client roams between APs, 802.11i allows a client to re-use previous PMK
authentication credentials and perform a four-way handshake. This speeds up the roaming process. In addition to
reusing PMKs on previously visited APs, Opportunistic Key Caching allows multiple APs to share PMKs amongst
themselves. This allows a client to roam to an AP it has not previously visited and reuse a PMK to skip 802.1x
authentication.
Pre-Authentication
8. Set the following
TKIP
Countermeasure
Hold Time
values.
Define an interval for unicast key transmission in seconds (30 -86,400).
Some clients have issues using unicast key rotation, so ensure you know
which clients are impacted before using unicast keys. This value is
disabled by default.
When enabled, the key indices used for encrypting/decrypting broadcast
traffic will be alternatively rotated based on the defined interval. Define an
interval for broadcast key transmission in seconds (30-86,400). Key
rotation enhances the broadcast traffic security on the WLAN. This value
is disabled by default.
Fast Roaming configuration used only with 802.1x EAP-WPA/WPA2 authentication.
Selecting the Pre-Authentication option enables an associated client to
carry out an 802.1x authentication with another access point before it
roams to it. This enables the roaming client to send and receive data
sooner by not having to conduct an 802.1x authentication after roaming.
With pre authentication, a wireless client can perform an 802.1X
authentication with other detected access points while still connected to
its current access point. When a device roams to a neighboring AP, the
device is already authenticated on the access point providing faster
re-association. This feature is enabled by default.
Advanced for the WPA2-CCMP encryption scheme.
The TKIP countermeasure hold-time is the time the use of the WLAN is
disabled if TKIP countermeasures have been invoked on the WLAN. Use
the drop-down menu to define a value in either Hours (0-18), Minutes
(0-1,092) or Seconds (0-65,535). The default setting is 60 seconds.