Community discussions

 
metricmoose
newbie
Topic Author
Posts: 37
Joined: Sat Nov 21, 2015 2:03 am

Feature Request: Multiple WPA2 Pre Shared Keys

Sat Aug 10, 2019 4:52 am

I've been working on a few Cambium cnPilot deployments lately and they recently added a very cool feature called "ePSK", which allows for one WiFi SSID to have multiple passwords, with each password being capable of putting the end device on a different VLAN. This is useful for a few reasons:
  • It's more secure, as anyone with the key can decrypt traffic so giving a unique key to every user would be better for security.
  • Using the ability to assign different VLANs to different passwords, you can reduce the number of SSIDs being broadcast, and therefore the amount of beacons the AP is sending out and improving performance
  • Adding to the point above, this feature really streamlines networking in MDUs. Each resident can have their own password on the one SSID used throughout the building, which then puts them into their own dedicated VLAN. This VLAN can give them internet access isolated from other residents (Perhaps even with their own public IP and speed package the resident decided to subscribe to) while making sure their IOT and streaming devices are all on the same private LAN together. Other methods for this involve captive portals, which don't play well with screenless IOT devices without having to involve complicated onboarding portals.
I think it would be very valuable to have Mikrotik implement a similar feature, it would be extremely powerful when combined with CAPsMAN and the low cost of Mikrotik hardware.
 
andriys
Forum Guru
Forum Guru
Posts: 1108
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Sat Aug 10, 2019 9:25 am

Well, on Mikrotik this has been possible like for ages now. It could be done either via wireless access list or RADIUS MAC authentication. This is supported for both regular AP and CAPsMAN setups.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Sat Aug 10, 2019 11:31 am

I've been working on a few Cambium cnPilot deployments lately and they recently added a very cool feature called "ePSK", which allows for one WiFi SSID to have multiple passwords, with each password being capable of putting the end device on a different VLAN. This is useful for a few reasons:
You can do that with WPA2-EAP (instead of WPA2-PSK), which is the usual way this is deployed (not depending in some specific manufacturer's method).
When you configure an access point with WPA2-EAP and you try to connect it with a client, the client will ask for a username and password instead of only a password.
You can make unique user ID's for every user and have all kinds of attributes for the users (including the VLAN), or you could decide to use the username only as a "group name" which is used by all users that need to connect to some VLAN.
The only disadvantage is that the username has to be typed in, where having different SSIDs would mean they can be selected from a list.
[*] It's more secure, as anyone with the key can decrypt traffic so giving a unique key to every user would be better for security.
That is not correct. The users connected to a single WPA2-PSK access point (with one SSID and password) do NOT all use the same key!
The key is generated during the session setup (and changed at regular intervals) so it is NOT possible to decrypt other people's traffic unless you have done some attack on that key establishment procedure.
[*] Using the ability to assign different VLANs to different passwords, you can reduce the number of SSIDs being broadcast, and therefore the amount of beacons the AP is sending out and improving performance
With WPA2-EAP you have the same advantage: you can use only a single SSID and have different networks based on the logged-in users.

Most important I think is that WPA2-EAP is standards-based rather than some trick implemented by one specific manufacturer that you try to convince another one to implement too.
(which could even run them into patent/license issues!)
 
metricmoose
newbie
Topic Author
Posts: 37
Joined: Sat Nov 21, 2015 2:03 am

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Sun Aug 11, 2019 7:18 am

I'm fully aware that this can be implemented with WPA2-EAP to achieve something similar, the issue is that it uses external servers and software whereas implementing multiple WPA2-PSK keys in RouterOS would allow it to be done on one standalone device. There's also the issue of many consumer devices (Going back to the MDU example) not being compatible with WPA2-EAP
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Sun Aug 11, 2019 11:19 am

That could be an issue with some very simple IoT devices, but typical consumer devices like laptops, mobile phones, tablets etc can do WPA2-EAP just fine.
Over here most providers offer a "roaming WiFi" solution where you can connect to any other subscriber's WiFi network. For this, all participating subscriber's routers have an extra SSID with WPA2-EAP where you can connect using a username/password (or I think some can even use a certificate), then you get connected to another network that is VPN'ed to the provider. This works fine.

I have not fully researched the Cambium case, but please be aware that due to the patent system in place it may well be that someone there (or at another company) has "invented" this and filed a patent for it, as obvious as it may seem, and so it may not be allowed (or license fees may have to be paid) to apply such a solution to a product.
No problem of course for manufacturers of such expensive equipment, but more difficult for suppliers of $35 access points.

WiFi equipment exists over a very wide price range, and of course spending like $600-$1000 per AP is mostly wasted money, but sometimes you get something back for it.
 
anuser
Member
Member
Posts: 369
Joined: Sat Nov 29, 2014 7:27 pm

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Mon Aug 12, 2019 2:39 pm

I think "Multi-PSK" is what you want to be available on a MikroTik device, see page 44-47 from https://zivindico.uni-muenster.de/event ... ressed.pdf
 
andriys
Forum Guru
Forum Guru
Posts: 1108
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: Multiple WPA2 Pre Shared Keys

Mon Aug 12, 2019 11:27 pm

I think "Multi-PSK" is what you want to be available on a MikroTik device, see page 44-47 from https://zivindico.uni-muenster.de/event ... ressed.pdf
It says it bounds MAC address to PSK. You can easily do the same on Mikrotik using wireless access lists. I have already mentioned this is possible, see my post above.

Who is online

Users browsing this forum: Bing [Bot] and 7 guests