Enterprise Wireless Encryption
Broadcast key rotation (BKR)

The Broadcast Key Rotation (BKR) feature, described in Figure , is also a TKIP enhancement. BKR protects the multicast traffic of the access point from being exploited by dynamically changing the multicast encryption key. The access point generates broadcast WEP keys by using a seeded pseudorandom number generator (PRNG). The access point rotates the broadcast key after a configured broadcast WEP key timer expires. This process should generally be in sync with the timeouts configured on the RADIUS servers for user re-authentication. Broadcast key rotation is an excellent alternative to WEP key hashing. This is true if the WLAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices. It is recommended that broadcast key rotation be enabled when the access point services an 802.1x exclusive wireless LAN. It is not necessary to enable broadcast key rotation if WEP key hashing is enabled. Use of both key rotation and key hashing provides unnecessary protection. When broadcast key rotation is enabled, only wireless client devices using LEAP or EAP-TLS authentication can use the access point. Client devices using static WEP with open, shared key, or EAP-MD5 authentication cannot use the access point when broadcast key rotation is enabled.