Feature Request : Wireless Private Passphrase as a Match in Access-List

PMTech · Fri Jul 14, 2017 9:31 am

Ultimately what we're trying to achieve is identifying users on a wireless SSID by the passphrase they use and then place them on their own VLAN. This is almost possible but not quite :

Currently the private passphrase in access-list for CAPsMAN is only used to check that the passphrase is correct once the other criteria in the access list has been validated. MAC address etc.

The request is to be able to have the passphrase as part of the matching criteria so that the below is possible :

Passphrase.JPG

Fri Jul 14, 2017 2:42 pm

You can't do that, in Access List, each entry will have to be made separately for each MAC.

PMTech · Wed Jul 19, 2017 11:54 am

Thanks Normis,

I know, I'd like to submit it as a feature request.

PMTech · Fri Jul 21, 2017 6:38 pm

HI Normis,

Is this technically possible with the OS, is it even worth me submitting as a feature request ?

Mplsguy · Thu Aug 31, 2017 1:06 pm

AP does not "check" the passphrase, because client never sends it to AP. AP uses known passphrase in calculations and by means of those checks if client knows the same passphrase. Basically 802.11 PSK is an algorithm that allows both parties to confirm that other party (and this applies to both - AP and client) is using the same passphrase without sending it over the air. This is how protocol works, refer to 802.11 for details.

This means that it is practically* impossible for AP to e.g. send passphrase used by client to RADIUS and/or use it for matching access-list. Also note that access-list matching happens before key exchange that confirms passphrase - access-list can even provide this passphrase to use by means of private-passphrase after access-list rule is matched.

* - I say "practically" because theoretically AP could check info sent by client against every possible passphrase. This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another, but unfortunately it is impossible to integrate it in current access-list (access-list checking is done before key exchange) or send passphrase to RADIUS server (passphrase is not known).

PMTech · Tue Sep 05, 2017 3:48 pm

Thanks, that explains it.

coltonconor · Thu Jun 20, 2019 6:10 am

For clarification, other vendors are doing this today. Examples:

https://www.aerohive.com/technology/ppsk/

https://www.ruckuswireless.com/content/ ... d-key-dpsk

Does Mikrotik have any plans to implement this?

netwpl · Sat Oct 26, 2019 7:14 pm

This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another.
I would like to be able to assign a VLAN based on the PSK used. This would be useful in hotel/apartment/condos where each unit has its own passphrase. It would for a single SSID (from every AP on the property) and allow for private Wi-Fi without using MAC addresses or RADIUS or landing pages.

my customers have exact the same need for this feature..!

have u solved it by a workaround so far? Radius /w VLAN assignment would be possible, but not every client is capable of 802.1x - neither captive portal.

pe1chl · Sat Oct 26, 2019 7:59 pm

You can do this standards-based when using WPA2-EAP. Almost every client supports it.

Zebble · Sat Oct 26, 2019 10:44 pm

You can do this standards-based when using WPA2-EAP. Almost every client supports it.

This isn't the same as dynamic PSK. Not all devices support EAP, and DPSK is far simpler from a user perspective.

pe1chl · Sun Oct 27, 2019 1:00 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.

Zebble · Sun Oct 27, 2019 1:14 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.

The problem isn't the AP (we're talking about Mikrotik - they all support EAP), it's the client devices. Not all support EAP, especially consumer devices. The example above of an apartment building is a relevant example where EAP would be ineffective.

UpRunTech · Sun Oct 27, 2019 1:41 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.
The problem isn't the AP (we're talking about Mikrotik - they all support EAP), it's the client devices. Not all support EAP, especially consumer devices. The example above of an apartment building is a relevant example where EAP would be ineffective.

Yes, devices like Chromecast and printers don't support EAP.

I too in the past have wished for password based VLAN assignment without using RADIUS. In the end I have done it using the hotspot, CAPSMAN and some script fu - as in hotspot logins get put on their own VLAN. It works very well considering there is no RADIUS involved. Using hotspot of course implies there is no Wifi encryption (until WPA3 comes along).

newhotelowner · Tue Dec 10, 2019 3:43 am

Yes, devices like Chromecast and printers don't support EAP.

I too in the past have wished for password based VLAN assignment without using RADIUS. In the end I have done it using the hotspot, CAPSMAN and some script fu - as in hotspot logins get put on their own VLAN. It works very well considering there is no RADIUS involved. Using hotspot of course implies there is no Wifi encryption (until WPA3 comes along).

Could you share the script? I have been looking for a solution to assign VLAN based on the hotspot login.

eworm · Tue Dec 10, 2019 10:12 am

I use this script on a hotspot system: hotspot-to-wpa (add this with on-login=hotspot-to-wpa in hotspot profile)

The user has to connect to open network and authenticate to hotspot. An access-list entry for his device (mac address) is created, using the hotspot password for WPA passphrase. Not exactly what was requested, but perhaps some can use it or get some ideas.

newhotelowner · Wed Dec 11, 2019 12:06 am

Thanks eworm! This is very interesting. I think I can use it to assign the user to a VLAN.

Basically, I want user to be in the same VLAN as the chromecast, so they can cast the content in the hotel room TV.

I only want the guest to to access the chromecast in their room. The only way I can make this happen is if the guest and the chromecast are in the same VLAN.

eworm · Wed Dec 11, 2019 2:09 pm

Well, you need to have an assignment from user to VLAN. You could use the username (available as $UserName) or a substring of it. So if user "1234" with password "secret" logs in you create an access list entry for VLAN 1234, user's mac address and his passphrase "secret". Alternatively you could get your VLAN from comments in "/ ip hotspot user"...

newhotelowner · Thu Dec 12, 2019 1:10 am

After the user is logged in from the hotspot page, I update the access-list with the user's mac address and the VLAN.

Now, How do I force the user to reconnect so that the user gets the right VLAN?

eworm · Thu Dec 12, 2019 12:29 pm

My script expects that you have an open network for hotspot (let's call it "example") and a WPA enabled network with with suffic "-wpa" in name (that would be "example-wpa" in this case).
You can add information and instructions to "alogin.html" to make them visible to guests after successful login.

PackElend · Sun Jan 02, 2022 7:52 pm

Hi Mt's,
I face the same challenge, so can I use RADIUS to assign a user to a VLAN purely on the PPSK used?
At least the is an attribute what would match the idea

MIKROTIK_WIRELESS_PSK

see https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

Basically, I want user to be in the same VLAN as the chromecast, so they can cast the content in the hotel room TV.
I only want the guest to to access the chromecast in their room. The only way I can make this happen is if the guest and the chromecast are in the same VLAN.

My use case is the other way around. I want the Chromecast or any other smart devices that are not EAP-capable to be added to the VLAN of the owner of a specific device automatically so that the administrator does not have to do this manually. The only way I can see to make this happen is to use PPSK.

PackElend · Sun Jan 02, 2022 11:45 pm

Hi again,
could you use RADIUS to check if the passphrase used matches a predefined one and assign VLAN-id according to the predefined passphrase?
I know that is said

... but unfortunately it is impossible ... or send passphrase to RADIUS server (passphrase is not known).

but there is very old thread Auth WPA2/PSK agaist radius server - MikroTik (and an idea in DPSK Dynamic WPA2 PSK support - MikroTik), so I'm wondering if I could use private-pre-shared-key, see Wireless Interface - RouterOS - MikroTik Documentation, which I understand is available as RADIUS attribute MIKROTIK_WIRELESS_PSK, see Manual:RADIUS Client - MikroTik Wiki.
Unfortunately, it is not listed as an attribute in or 4.2 Access-Request or 4.4 Accounting-Request, so I can't tell if this attribute is sent to the RADIUS server in the course of an authentication and accounting request.

At least FreeRadius can deal with an Attribute in a Access Request, see protocol/Access Request (freeradius.org).

If so assignment, I hope the VLAN assignment could happen somehow as follows (based on Unlang | FreeRADIUS Documentation (networkradius.com):

[root@pfSense.test.home.arpa]/usr/local/etc/raddb: cat users.PSK
# Mikrotik Mac Auth and dyn. VLAN
# Mac Format XXXX:XXXX:XXXX
#
# check any User 
DEFAULT Cleartext-Password := "%{User-Name}"
#assign VLAN per PPSK

switch %MIKROTIK_WIRELESS_PSK  {
    case VLAN1_PPSK {
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Mikrotik-Wireless-VLANID := 20,
        Mikrotik-Wireless-VLANID-Type := 0,
        Mikrotik-Wireless-Comment = "USER_01_DEVICE"
    }
   case VLAN2_PPSK {
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Mikrotik-Wireless-VLANID := 10,
        Mikrotik-Wireless-VLANID-Type := 0,
        Mikrotik-Wireless-Comment = "USER_01_DEVICE"
    }
   case {
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Mikrotik-Wireless-VLANID := 99,
        Mikrotik-Wireless-VLANID-Type := 0,
        Mikrotik-Wireless-Comment = "UNTRUSTED_DEVICE"
    }
}

Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]

Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List [SOLVED]

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Who is online