Ask HN: WPA2 Shared Secret Rotation: How to Avoid Downtime?
2 comments
While your approach to rotating the WPA2 shared secret (SSID passphrase) is efficient, it does have the drawbacks you mentioned. Fortunately, there are incident management tools to minimize the cost and downtime for your organization. We use Squadcast, and we've experienced a reduced client update burden. We're maintaining the existing SSID, and automation is also possible for runbooks.
Unfortunately, there isn't a way for access points to tell clients 'use this SSID and secret from now on, goodbye'.
I guess you need to have a list of people that are the only ones allowed access, then tell them. Maybe include a paper with the new SSID and secret and maybe a QR code.
I guess you need to have a list of people that are the only ones allowed access, then tell them. Maybe include a paper with the new SSID and secret and maybe a QR code.
Here's how I do it:
1. Start with existing SSID `wireless-net`
2. Add new virtual SSID `wireless-net-A` with new shared secret.
3. one by one update each client to the new SSID + shared secret
4. once empty, disable `wireless-net`
The two big downsides are : (1) updating clients 1-by-1 and (2) losing SSID name . Also, some routers do not support virtual SSID
Any better approach?