WPA2 Shared Secret Rotation: How to Avoid Downtime?

Question

Let's assume you like to rotate your WPA2 shared secret (SSID passphrase) once a year. How do you do it without downtime and with minimal fuss? Is it possible to do it without changing SSID?Here's how I do it:1. Start with existing SSID `wireless-net`2. Add new virtual SSID `wireless-net-A` with new shared secret.3. one by one update each client to the new SSID + shared secret4. once empty, disable `wireless-net`The two big downsides are : (1) updating clients 1-by-1 and (2) losing SSID name . Also, some routers do not support virtual SSIDAny better approach?

chitraa · Accepted Answer

While your approach to rotating the WPA2 shared secret (SSID passphrase) is efficient, it does have the drawbacks you mentioned. Fortunately, there are incident management tools to minimize the cost and downtime for your organization. We use Squadcast, and we've experienced a reduced client update burden. We're maintaining the existing SSID, and automation is also possible for runbooks.

theandrewbailey · Answer

Unfortunately, there isn't a way for access points to tell clients 'use this SSID and secret from now on, goodbye'.I guess you need to have a list of people that are the only ones allowed access, then tell them. Maybe include a paper with the new SSID and secret and maybe a QR code.