DPSK Dynamic WPA2 PSK support

lbgaus · November 28, 2018, 10:14pm

I’ve seen some instances of Wireless LANs popping up that use dynamic/unique PSKs that are preregistered with the WLAN operator… Each device connects with a unique PSK instead of the traditional shared PSK. This is to support increased WiFi privacy on a WPA2-Personal protected network without having to use WPA2-Enterprise/802.1x (useful for shared networks where it is impractical to install a certificate on the client).

Is it possible to add such support to Mikrotik wireless APs?

blingblouw · November 29, 2018, 4:42am

Oh yeah! This would be awesome. We used this on a couple of ruckus sites and it’s pretty cool

gotsprings · November 29, 2018, 8:09am

Its been in there for years.
Go into your access control list under wireless. You can generate/set per Mac address passwords.

I took my dpsk file from my Zone Director and copy and pasted the passwords in to my access list. Result… The dpsk keys work on my Mikrotik wireless. Unplugged the ZD months ago. The performance of the Mikrotik wireless is no where near as good as the Ruckus APs. But if you don’t mind the more than 50% drop off in throughput (866 down to 300)… The Mikrotik WAPs only cost $70 in the US

example from a stand alone Access Point.

/interface wireless access-list
add comment=Jayden mac-address=5C:1D:D9:C3:C6:15 private-pre-shared-key=supersecretpasswordexample vlan-mode=no-tag

example from caps-man

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment=Jayden disabled=no mac-address=5C:1D:D9:C3:C6:15 private-passphrase=\
    supersecretpasswordexample

So its kind of nice because you can actually make up passwords and they can be any length you want.
Also you can make that one password work for one SSID, All SSIDs, A group of access points, etc.
Further… you can go back and add a VLAN tag to bounce a device into another subnet AFTER ITS BEEN ON THE SYSTEM. (in Ruckus its set once you generate the file)

Muqatil · November 29, 2018, 9:57am

Furthermore, you can associate a RADIUS to manage the mac-address/password association.
There are few presentations that covered this topic.
MikroTik was there for ages, too bad they didn’t use it as a good advertisement.

lbgaus · November 29, 2018, 4:37pm

Wow, this is really awesome news. I had no idea it was in there, although that’s probably because I typically don’t need to implement ACLs.

Great stuff… Thanks!

RackKing · December 5, 2018, 6:16pm

Do you have a link to the presentations? I assume you mean youtube, but I cannot seem to find them in English.

muetzekoeln · January 14, 2019, 4:19pm

Its been in there for years.
Go into your access control list under wireless. You can generate/set per Mac address passwords.
/interface wireless access-list
add comment=Jayden mac-address=5C:1D:D9:C3:C6:15 private-pre-shared-key=supersecretpasswordexample vlan-mode=no-tag

Is this the same as EAP-PWD (RFC5931) or is it as secure as EAP-PWD?

excession · February 12, 2020, 5:44pm

This would be way more useful if the Access List didn’t stop on the first failure but went on to try and validate against the next matching rule. You could then have multiple PSK’s without defined MAC addresses allowing you to set different keys for different users without the need to pre-register MAC addresses.

This is how the Group DPSK function works on Ruckus and is very handy for users with multiple devices.

gotsprings · March 4, 2020, 7:16pm

The more I use Mikrotik wireless… The more I love Ruckus.

If you need a solution… RUCKUS.
If you don’t mind a hobby… Mikrotik.

This is completely the opposite of Mikrotik routing.

olivier2831 · November 12, 2021, 3:43pm

Which Ruckus AP do you prefer within 100-150 Euros price range ?

PackElend · January 1, 2022, 9:36pm

do you have a working example?
I try to set up dynamic VLAN assignments based on used Private-PSK.
There is this RADIUS attributes

Mikrotik-Wireless-PSK

which could be used but I cannot find any tutorial or topic using it, so I’m wondering if this is feasible?
Any input is welcome

PackElend · January 3, 2022, 11:13am

how you do you do that?

gotsprings · January 3, 2022, 12:05pm

Go into to ACL.
Add the Mac address and password you want the client to bind together.
Select a VLAN tag.

PackElend · January 3, 2022, 1:27pm

could you share the config to do so?
I’m still on vacation and far from home to check it out at my system

would it be like

/caps-man access-list
add action=accept mac-address=MAC_User1_Device1 private-passphrase= PPSK_User1 vlan-id=VLAN_User1vlan-mode=use-tag comment=User1
add action=accept mac-address=MAC_User1_Device2 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=MAC_User2_Device1 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2

Could the PPSK based access-list be used to realize a feature like Working with Dynamic Pre-Shared Keys (commscope.com) by either using 00:00:00:00:00:00 as MAC or omitting the MAC altogether?
So the code for a PPSK based VLAN assignment could be like:

/caps-man access-list
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2

code was written on what was mentioned in this topic and in wireless access list vlan mode & id function? - MikroTik and Can each wireless user connect to their own VLAN? - MikroTik

gotsprings · January 3, 2022, 2:26pm

Go into to ACL.
Add the Mac address and password you want the client to bind together.
Select a VLAN tag.

could you share the config to do so?
I’m still on vacation and far from home to check it out at my system

would it be like
/caps-man access-list
add action=accept mac-address=MAC_User1_Device1 private-passphrase= PPSK_User1 vlan-id=VLAN_User1vlan-mode=use-tag comment=User1
add action=accept mac-address=MAC_User1_Device2 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=MAC_User2_Device1 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
Could the PPSK based access-list be used to realize a feature like Working with Dynamic Pre-Shared Keys (commscope.com) by either using 00:00:00:00:00:00 as MAC or omitting the MAC altogether?
So the code for a PPSK based VLAN assignment could be like:
/caps-man access-list
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept mac-address=00:00:00:00:00:00 private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2
code was written on what was mentioned in this topic and in wireless access list vlan mode & id function? - MikroTik and Can each wireless user connect to their own VLAN? - MikroTik

Move my laptop into a different VLAN based on the password I used.

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="Windows LapTop" \
    disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \
    ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag

As for replacing Ruckus…
A few weeks using Mikrotik wireless and you will realize that was a seriously bad idea.

Especially if you have (URC, HP, ETC) a few 2.4 only wifi clients on your networks.

PackElend · January 3, 2022, 2:33pm

Move my laptop into a different VLAN based on the password I used.

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="Windows LapTop" \
    disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \
    ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag

this assumes that the MAC is known, but what if the MAC is not known in advance?

gotsprings · January 3, 2022, 3:54pm

Move my laptop into a different VLAN based on the password I used.
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="Windows LapTop" \
    disabled=no mac-address=C8:FF:28:3C:35:35 private-passphrase=pn4XaFnnKX \
    ssid-regexp=WhateverSSID vlan-id=254 vlan-mode=use-tag
this assumes that the MAC is known, but what if the MAC is not known in advance?

Just tried it. Device was allowed to connect.

PackElend · January 3, 2022, 4:13pm

Using what configuration, the one posted before?

Does the following work as well?

/caps-man access-list
add action=accept private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2

gotsprings · January 3, 2022, 5:23pm

Just tried it. Device was allowed to connect.

Using what configuration, the one posted before?

Does the following work as well?
/caps-man access-list
add action=accept private-passphrase= PPSK_User1 vlan-id=VLAN_User1 vlan-mode=use-tag comment=User1
add action=accept private-passphrase= PPSK_User2 vlan-id=VLAN_User2 vlan-mode=use-tag comment=User2

I was on a standalone hAP AC2 that is not running caps-man

[admin@MikroTik] /interface/wireless/access-list> print
Flags: X - disabled
0 mac-address=00:00:00:00:00:00 interface=any signal-range=-120..120
allow-signal-out-of-range=10s authentication=yes forwarding=yes
ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key=“”
private-pre-shared-key=“thisisatest” management-protection-key=“”
vlan-mode=default vlan-id=1

PackElend · January 3, 2022, 6:03pm

No problem, thanks a lot for testing and sharing .

I’m currently only on mobile so I cannot contribute anything.

Would it still work if it is done with 2 rules like that but with different private-pre-shared-key?

Like
private-pre-shared-key=“user1” vlan-id=1
private-pre-shared-key=“user2” vlan-id=2