broadcast-key

broadcast-key 

All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command on the radio interface.

Use the broadcast-key configuration interface command to configure the time interval between rotations of the broadcast encryption key used for clients. Use the no form of the command to disable broadcast key rotation.

[no] broadcast-key
[vlan vlan-id]
[change secs]
[ membership-termination ]
[ capability-change ]

---

Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.

---

---

Note This command is not supported on bridges.

---

Syntax Description

vlan vlan-id	(Optional) Specifies the virtual LAN identification value
change secs	(Optional) Specifies the amount of time (in seconds) between the rotation of the broadcast encryption key
membership-termination	(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a new group key when any authenticated client device disassociates from the access point. If clients roam frequently among access points, enabling this feature might generate significant overhead.
capability-change	(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point.

Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release	Modification
12.2(4)JA	This command was introduced.

Examples

This example shows how to configure vlan10 to support broadcast key encryption with a 5-minute key rotation interval:

AP(config-if)# broadcast-key vlan 10 change 300

This example shows how to disable broadcast key rotation:

AP(config-if)# no broadcast-key