Skip to main content
Cisco Meraki Documentation

Event Log Shows Wireless Client Authenticating Every Hour

When using WPA, the keys used to encrypt and authenticate unicast traffic between a wireless client and AP change automatically. This is called rekeying. The rekey interval is 3600 seconds. If your SSID is configured to use WPA2-Enterprise with 802.1X authentication, you will see rekeying events for connected wireless clients appearing in the Meraki Event log every hour. This is normal behavior. Notice the timestamps on the logs below.

WPA2-Enterprise with 802.1X authentication

Dec 17 11:56:21 MYCOMPUTER 802.1X authentication AP1 Meraki identity 'DOMAIN\username'
Dec 17 11:56:21 MYCOMPUTER 802.1X EAP success AP1 Meraki identity 'DOMAIN\username'  
Dec 17 10:56:18 MYCOMPUTER 802.1X authentication AP1 Meraki identity 'DOMAIN\username' 
Dec 17 10:56:18 MYCOMPUTER 802.1X EAP success AP1 Meraki identity 'DOMAIN\username'

  

When WPA2-Enterprise with 802.1X authentication is used, the Pairwise Master Key (PMK) is derived from the 802.1X process. The PMK is computed by the RADIUS server and returned to the AP. The PMK is used to create temporal keys used for actual frame authentication and encryption. Therefore the wireless client must perform 802.1x authentication at the rekeying interval to derive new temporal keys, unless there is an over-ride setting of session-timeout at the RADIUS server. If there is such a session-timeout, Meraki APs will honor that setting.

When WPA2-PSK (shared network key) is used, the Pairwise Master Key (PMK) is configured as a shared secret on the wireless client and AP. The PMK is used to create temporal keys used for actual frame authentication and encryption. Therefore, WPA rekeying will occur between the wireless client and AP every hour to derive new temporal keys. 

Note: Meraki does not report rekeying events in the Meraki Event Log when WPA2-PSK (shared network key) is used. 

 

  • Was this article helpful?