Feature Request : Wireless Private Passphrase as a Match in Access-List

Ultimately what we’re trying to achieve is identifying users on a wireless SSID by the passphrase they use and then place them on their own VLAN. This is almost possible but not quite :

Currently the private passphrase in access-list for CAPsMAN is only used to check that the passphrase is correct once the other criteria in the access list has been validated. MAC address etc.

The request is to be able to have the passphrase as part of the matching criteria so that the below is possible :
Passphrase.JPG

You can’t do that, in Access List, each entry will have to be made separately for each MAC.

Thanks Normis,

I know, I’d like to submit it as a feature request.

HI Normis,

Is this technically possible with the OS, is it even worth me submitting as a feature request ?

AP does not “check” the passphrase, because client never sends it to AP. AP uses known passphrase in calculations and by means of those checks if client knows the same passphrase. Basically 802.11 PSK is an algorithm that allows both parties to confirm that other party (and this applies to both - AP and client) is using the same passphrase without sending it over the air. This is how protocol works, refer to 802.11 for details.

This means that it is practically* impossible for AP to e.g. send passphrase used by client to RADIUS and/or use it for matching access-list. Also note that access-list matching happens before key exchange that confirms passphrase - access-list can even provide this passphrase to use by means of private-passphrase after access-list rule is matched.

    • I say “practically” because theoretically AP could check info sent by client against every possible passphrase. This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another, but unfortunately it is impossible to integrate it in current access-list (access-list checking is done before key exchange) or send passphrase to RADIUS server (passphrase is not known).

Thanks, that explains it.

For clarification, other vendors are doing this today. Examples:

https://www.aerohive.com/technology/ppsk/

https://www.ruckuswireless.com/content/dynamic-pre-shared-key-dpsk

Does Mikrotik have any plans to implement this?

[quote=MtHoodlum post_id=730475 time=1557553935 user_id=55480]
[quote=Mplsguy post_id=616209 time=1504173961 user_id=26640]
This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another.
[/quote]

I would like to be able to assign a VLAN based on the PSK used. This would be useful in hotel/apartment/condos where each unit has its own passphrase. It would for a single SSID (from every AP on the property) and allow for private Wi-Fi without using MAC addresses or RADIUS or landing pages.
[/quote]

my customers have exact the same need for this feature..!



have u solved it by a workaround so far? Radius /w VLAN assignment would be possible, but not every client is capable of 802.1x - neither captive portal.

You can do this standards-based when using WPA2-EAP. Almost every client supports it.

This isn’t the same as dynamic PSK. Not all devices support EAP, and DPSK is far simpler from a user perspective.

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.

The problem isn’t the AP (we’re talking about Mikrotik - they all support EAP), it’s the client devices. Not all support EAP, especially consumer devices. The example above of an apartment building is a relevant example where EAP would be ineffective.

Yes, devices like Chromecast and printers don’t support EAP.

I too in the past have wished for password based VLAN assignment without using RADIUS. In the end I have done it using the hotspot, CAPSMAN and some script fu - as in hotspot logins get put on their own VLAN. It works very well considering there is no RADIUS involved. Using hotspot of course implies there is no Wifi encryption (until WPA3 comes along).

Could you share the script? I have been looking for a solution to assign VLAN based on the hotspot login.

I use this script on a hotspot system: hotspot-to-wpa (add this with on-login=hotspot-to-wpa in hotspot profile)

The user has to connect to open network and authenticate to hotspot. An access-list entry for his device (mac address) is created, using the hotspot password for WPA passphrase. Not exactly what was requested, but perhaps some can use it or get some ideas.

Thanks eworm! This is very interesting. I think I can use it to assign the user to a VLAN.

Basically, I want user to be in the same VLAN as the chromecast, so they can cast the content in the hotel room TV.

I only want the guest to to access the chromecast in their room. The only way I can make this happen is if the guest and the chromecast are in the same VLAN.

Well, you need to have an assignment from user to VLAN. You could use the username (available as $UserName) or a substring of it. So if user “1234” with password “secret” logs in you create an access list entry for VLAN 1234, user’s mac address and his passphrase “secret”. Alternatively you could get your VLAN from comments in “/ ip hotspot user”…

After the user is logged in from the hotspot page, I update the access-list with the user’s mac address and the VLAN.

Now, How do I force the user to reconnect so that the user gets the right VLAN?

My script expects that you have an open network for hotspot (let’s call it “example”) and a WPA enabled network with with suffic “-wpa” in name (that would be “example-wpa” in this case).
You can add information and instructions to “alogin.html” to make them visible to guests after successful login.

Hi Mt’s,
I face the same challenge, so can I use RADIUS to assign a user to a VLAN purely on the PPSK used?
At least the is an attribute what would match the idea

MIKROTIK_WIRELESS_PSK

see https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client



My use case is the other way around. I want the Chromecast or any other smart devices that are not EAP-capable to be added to the VLAN of the owner of a specific device automatically so that the administrator does not have to do this manually. The only way I can see to make this happen is to use PPSK.