What are the ideal time intervals for unicast and multicast key rotations and why?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


Unicast and multicast keys are updated after each 802.1X (re)authentication. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes. Make sure these intervals are mutually prime, and the factor of the unicast key rotation interval and the multicast key rotation interval is less than the reauthentication interval.


Note: Unicast key rotation depends upon the AP/controller and wireless client behavior. It is known that some wireless NICs have issues with unicast key rotation.


The following parameters are examples of those you can configure for reauthentication with unicast and multicast key rotation:


Reauthentication: Enabled 
Reauthentication Time Interval: 6011 Seconds 
multicast Key Rotation: Enabled 
multicast Key Rotation Time Interval: 1867 Seconds 
Unicast Key Rotation: Enabled 
Unicast Key Rotation Time Interval: 1021 Seconds


Finally, based on the Aruba design suggestions, multicast and unicast key rotation should be equal to or more than 15 minutes. If these rotation intervals are set to less than the specified time interval, for example, to 30 seconds, then, more than the data traffic, more key exchange traffic will be sent in the WLAN. This additional traffic will have a great impact on the client performance, eventually generating many errors if any key exchange packets are missed. These errors are the MIC errors that are found in error logs or security logs.


In general security terms, not considering the proprietary mechanism, it is recommended to keep the unicast or multicast key rotation interval to more than 15 minutes to avoid congesting the WLAN medium or even wired medium.

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 02:05 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: