Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Unicast and multicast keys are updated after each 802.1X (re)authentication. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes. Make sure these intervals are mutually prime, and the factor of the unicast key rotation interval and the multicast key rotation interval is less than the reauthentication interval.
Note: Unicast key rotation depends upon the AP/controller and wireless client behavior. It is known that some wireless NICs have issues with unicast key rotation.
The following parameters are examples of those you can configure for reauthentication with unicast and multicast key rotation:
Reauthentication Time Interval: 6011 Seconds
multicast Key Rotation: Enabled
multicast Key Rotation Time Interval: 1867 Seconds
Unicast Key Rotation: Enabled
Unicast Key Rotation Time Interval: 1021 Seconds
Finally, based on the Aruba design suggestions, multicast and unicast key rotation should be equal to or more than 15 minutes. If these rotation intervals are set to less than the specified time interval, for example, to 30 seconds, then, more than the data traffic, more key exchange traffic will be sent in the WLAN. This additional traffic will have a great impact on the client performance, eventually generating many errors if any key exchange packets are missed. These errors are the MIC errors that are found in error logs or security logs.
In general security terms, not considering the proprietary mechanism, it is recommended to keep the unicast or multicast key rotation interval to more than 15 minutes to avoid congesting the WLAN medium or even wired medium.