(1) Let say I have 2 clients associated with 1 AP, client1 with mixed mode (tkip & ccmp) and client2 is ccmp enabled...so for this scenario client1 and client2 both will share group cipher key as TKIP…..Let say I enable key-rotation for unicast and broadcast traffic on AP in WLAN ….My question is …how will I verify key rotation over the wireless….because after encryption all traffic (4-way handshake) will go encrypted over wireless.
(2) Second question is ..if AP unable to push GTK to client1 then how will AP push GTK again to client1...will PTK also re-installed again...if yes then why?
(3) How will AP understand that GTK is not installed properly on client.
(4) How things will work when client1 wants to send multicast/broadcast traffic?
Any expert advice please.
I recommend the following whitepaper (End of page 6 and beginning of page 7) : http://www.cwnp.com/uploads/802-11i_key_management.pdf
(1) you should watch for 2-way or 4-way handshakes in the air to verify re-keying
(2) It's no typical "pushing" of the GTK it's a full handshake. This handshake will not be sucessful when the supplicant doesn't answer.
(3) Handshake wasn't successful
you should watch for 2-way or 4-way handshakes in the air to verify re-keying.
>> I tired to check 2-way or 4-way handshakes in the air but frames are going encrypted....I think this is true because EAPOL-key frames are data frames and will go encrypted over the air (we can not see 2-way and 4-way handshake in air)....via syslog/debug on AP/Controller i can see that key rotation is working fine but unable to verify from omnipeek.
Please correct me if I am wrong. Thx