1x rapid rekeying, 1x rapid rekeying -16 – Enterasys Networks 802.11 User Manual
Page 50
Security
2-16
802.1X Rapid Rekeying
Rapid Rekeying, also known as Key Tumbling, provides automatic IEEE 802.11 WEP
encryption key generation and frequent redistribution of WEP keys.
The following information applies to using Rapid Rekeying:
•
Rapid Rekeying requires the use of 802.1X authentication. Unauthenticated clients and
MAC address authentication clients cannot receive updated WEP keys, and would
soon lose connectivity to the LAN.
•
Rapid Rekeying automatically disables user-specified WEP encryption keys.
•
Rapid Rekeying requires the use of an EAP login method that generates session keys,
and the use of a RADIUS server that will distribute those keys to the AP. The AP uses
the session keys to encrypt the WEP key distribution messages. Clients without session
keys do not get new WEP keys.
•
EAP-TLS authentication using X.509 certificates on the clients will work with Rapid
Rekeying.
•
EAP-MD5 password authentication will not work with Rapid Rekeying. EAP-MD5
does not negotiate session keys.
•
Token based authentication will work with Rapid Rekeying if the token based
authentication uses a TLS based method, such as TTLS or PEAP. The requirement is
that there are TLS session keys negotiated and retained by the client and the AP.
The following describes how the AP introduces new key pairs.
1.
The AP and clients are using the existing keys at the beginning of the Rapid Rekeying
encryption cycle.
AP
Client
Key #
Encryption
TX/RX
State
TX/RX
Encryption
Key1
aaaaaaaaaaaaaa RX
Active
TX
aaaaaaaaaaaaaa
Key2 bbbbbbbbbbbbb
TX
Active
RX
bbbbbbbbbbbbb
Key3 xxxxxxxxxxxxx
Inactive
xxxxxxxxxxxxx
Key4
xxxxxxxxxxxxx
Inactive
xxxxxxxxxxxxx