beautypg.com

Configuring the ptk lifetime, Configuring the gtk rekey method, Configuring gtk rekey based on time – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 68

background image

56

Step Command

Remarks

3.

Enable the authentication
method.

authentication-method { open-system |
shared-key }

Optional.
Open system authentication

method is used by default.

Shared key authentication is

usable only when WEP

encryption is adopted. In this
case, you must configure the

authentication-method

shared-key command.

For RSN and WPA, open

system authentication is

required.

Configuring the PTK lifetime

A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise

master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP's MAC address

and the client's MAC address are used.
To configure the PTK lifetime:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter WLAN service
template view.

wlan service-template
service-template-number crypto

N/A

3.

Configure the PTK lifetime.

ptk-lifetime time

Optional.
By default, the PTK lifetime is
43200 seconds.

Configuring the GTK rekey method

An AC generates a group temporal key (GTK) and sends the GTK to a client during the authentication
process between an AP and the client through group key handshake or the 4-way handshake. The client

uses the GTK to decrypt broadcast and multicast packets. Robust Security Network (RSN) negotiates the

GTK through the 4-way handshake or group key handshake, and Wi-Fi Protected Access (WPA)

negotiates the GTK only through group key handshake.
Two GTK rekey methods can be configured:

Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs.

Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs.

You can also configure the device to start GTK rekey when a client goes offline.

Configuring GTK rekey based on time

Step Command

Remarks

1.

Enter system view.

system-view

N/A