The Broadcast Key Rotation (BKR) feature, described in Figure
, is also a TKIP
enhancement. BKR protects the multicast traffic of the access point from being
exploited by dynamically changing the multicast encryption key. The access
point generates broadcast WEP keys by using a seeded pseudorandom number
generator (PRNG). The access point rotates the broadcast key after a configured
broadcast WEP key timer expires. This process should generally be in sync with
the timeouts configured on the RADIUS servers for user re-authentication.
Broadcast key rotation is an excellent alternative to WEP key hashing. This is
true if the WLAN supports wireless client devices that are not Cisco devices or
that cannot be upgraded to the latest firmware for Cisco client devices. It is
recommended that broadcast key rotation be enabled when the access point
services an 802.1x exclusive wireless LAN. It is not necessary to enable
broadcast key rotation if WEP key hashing is enabled. Use of both key rotation
and key hashing provides unnecessary protection. When broadcast key rotation is
enabled, only wireless client devices using LEAP or EAP-TLS authentication can
use the access point. Client devices using static WEP with open, shared key, or
EAP-MD5 authentication cannot use the access point when broadcast key rotation
is enabled.