Rotating PSKs
SUMMARY Rotating PSKs is a best practice to reduce network exposure in the event that a key is compromised. Use this information to understand the benefits of PSK rotation and the steps involved to rotate keys.
PSK rotation is the practice of replacing old encryption keys with new ones, typically on a scheduled basis. Regular PSK rotation reduces the amount of time the network is exposed in the event a key is compromised. We recommend PSK rotation, especially for IoT devices, and if you assign keys on a per-device basis.
Certain aspects and features of PSK require an Access Assurance subscription. See Additional Options with Access Assurance for details.
When creating or updating a PSK, you can set an expiration date for the key, or a duration during which time the key is valid. Likewise, you can schedule automatic PSK rotation for both users and devices. When a key rotation occurs, only the key itself will change. There is no disruption to the existing connection for IoT devices, and any VLANs, roles, and so on that are associated with the PSK will remain the same.
You can enable e-mail notifications for users when a PSK is created or updated. You can enable this option at the organization level (Organization > Pre-Shared Keys) or site level (Site > Pre-Shared Keys). You can also configure e-mail reminders to notify users about upcoming organization-level PSK expiry. Note that you can set the reminders only from the Organization > Pre-Shared Keys page or Organization > Client Onboarding page.
For wireless users, where you may want nominal participation, you can schedule PSK rotation and handle it through email. Users are automatically sent the new passphrase and expiration date for the SSID, as well as a QR code so they can conveniently make the update and reconnect using the new PSK.
Manually Rotate A PSK
In the following procedure we will manually rotate a PSK by duplicating the old key (which includes all the existing properties and associations), switching the users over to the duplicate, and then getting rid of the original so it can no longer be used. The rotation is transparent to users.
To manually rotate a PSK:
-
From the Mist portal, select Organization > Wireless > Pre-Shared Keys and select the Key Name for the PSK that you want to rotate.
Click the More button that appears at the top of the page (it appears when you select the key name and choose Duplicate).
In the Duplicate Pre-Shared Keys page that opens, select Modify Original Keys and then Add Suffix.
In the Add Suffix field, type -old.
Under the New Key Options, select Create New Passphrases and set how many characters you want the passphrase to be.
Click Duplicate to create a copy of the key.
Back in the Pre-Shared Keys page, you'll see the new and old keys. Both are active, and you can click either one to see the number of clients (current to the previous hour).
Now you can reconfigure your clients with a new passphrase. Once there are no more active clients on the old PSK (that is, all of the clients have been moved to the new PSK), you can remove the old key manually or let it expire.