Community discussions

MUM Europe 2020
 
PMTech
just joined
Topic Author
Posts: 13
Joined: Mon Feb 15, 2016 5:13 pm

Feature Request : Wireless Private Passphrase as a Match in Access-List

Fri Jul 14, 2017 9:31 am

Ultimately what we're trying to achieve is identifying users on a wireless SSID by the passphrase they use and then place them on their own VLAN. This is almost possible but not quite :

Currently the private passphrase in access-list for CAPsMAN is only used to check that the passphrase is correct once the other criteria in the access list has been validated. MAC address etc.

The request is to be able to have the passphrase as part of the matching criteria so that the below is possible :
Passphrase.JPG
You do not have the required permissions to view the files attached to this post.
Last edited by PMTech on Tue Aug 29, 2017 11:54 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24333
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Fri Jul 14, 2017 2:42 pm

You can't do that, in Access List, each entry will have to be made separately for each MAC.
No answer to your question? How to write posts
 
PMTech
just joined
Topic Author
Posts: 13
Joined: Mon Feb 15, 2016 5:13 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Wed Jul 19, 2017 11:54 am

Thanks Normis,

I know, I'd like to submit it as a feature request.
 
PMTech
just joined
Topic Author
Posts: 13
Joined: Mon Feb 15, 2016 5:13 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Fri Jul 21, 2017 6:38 pm

HI Normis,

Is this technically possible with the OS, is it even worth me submitting as a feature request ?
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List  [SOLVED]

Thu Aug 31, 2017 1:06 pm

AP does not "check" the passphrase, because client never sends it to AP. AP uses known passphrase in calculations and by means of those checks if client knows the same passphrase. Basically 802.11 PSK is an algorithm that allows both parties to confirm that other party (and this applies to both - AP and client) is using the same passphrase without sending it over the air. This is how protocol works, refer to 802.11 for details.

This means that it is practically* impossible for AP to e.g. send passphrase used by client to RADIUS and/or use it for matching access-list. Also note that access-list matching happens before key exchange that confirms passphrase - access-list can even provide this passphrase to use by means of private-passphrase after access-list rule is matched.

* - I say "practically" because theoretically AP could check info sent by client against every possible passphrase. This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another, but unfortunately it is impossible to integrate it in current access-list (access-list checking is done before key exchange) or send passphrase to RADIUS server (passphrase is not known).
 
PMTech
just joined
Topic Author
Posts: 13
Joined: Mon Feb 15, 2016 5:13 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Tue Sep 05, 2017 3:48 pm

Thanks, that explains it.
 
MtHoodlum
just joined
Posts: 14
Joined: Fri Sep 07, 2012 2:09 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sat May 11, 2019 8:52 am

This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another.
I would like to be able to assign a VLAN based on the PSK used. This would be useful in hotel/apartment/condos where each unit has its own passphrase. It would for a single SSID (from every AP on the property) and allow for private Wi-Fi without using MAC addresses or RADIUS or landing pages.
 
coltonconor
just joined
Posts: 4
Joined: Mon Aug 17, 2015 4:04 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Thu Jun 20, 2019 6:10 am

For clarification, other vendors are doing this today. Examples:

https://www.aerohive.com/technology/ppsk/

https://www.ruckuswireless.com/content/ ... d-key-dpsk

Does Mikrotik have any plans to implement this?
 
netwpl
newbie
Posts: 26
Joined: Fri Jun 22, 2012 8:09 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sat Oct 26, 2019 7:14 pm

This could be possible because AP is the first to check data sent by client if proper passphrase was used. Probably such feature could be implemented to some extent where AP could check against fixed set of passphrases and take one action or another.
I would like to be able to assign a VLAN based on the PSK used. This would be useful in hotel/apartment/condos where each unit has its own passphrase. It would for a single SSID (from every AP on the property) and allow for private Wi-Fi without using MAC addresses or RADIUS or landing pages.
my customers have exact the same need for this feature..!

have u solved it by a workaround so far? Radius /w VLAN assignment would be possible, but not every client is capable of 802.1x - neither captive portal.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5985
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sat Oct 26, 2019 7:59 pm

You can do this standards-based when using WPA2-EAP. Almost every client supports it.
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sat Oct 26, 2019 10:44 pm

You can do this standards-based when using WPA2-EAP. Almost every client supports it.
This isn't the same as dynamic PSK. Not all devices support EAP, and DPSK is far simpler from a user perspective.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5985
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sun Oct 27, 2019 1:00 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sun Oct 27, 2019 1:14 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.
The problem isn't the AP (we're talking about Mikrotik - they all support EAP), it's the client devices. Not all support EAP, especially consumer devices. The example above of an apartment building is a relevant example where EAP would be ineffective.
 
UpRunTech
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Jul 27, 2012 12:11 pm

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Sun Oct 27, 2019 1:41 am

You can always buy an AP that supports it!
You will never find all features in all possible devices at all price levels.
The problem isn't the AP (we're talking about Mikrotik - they all support EAP), it's the client devices. Not all support EAP, especially consumer devices. The example above of an apartment building is a relevant example where EAP would be ineffective.
Yes, devices like Chromecast and printers don't support EAP.

I too in the past have wished for password based VLAN assignment without using RADIUS. In the end I have done it using the hotspot, CAPSMAN and some script fu - as in hotspot logins get put on their own VLAN. It works very well considering there is no RADIUS involved. Using hotspot of course implies there is no Wifi encryption (until WPA3 comes along).
 
newhotelowner
just joined
Posts: 8
Joined: Wed Dec 04, 2019 4:10 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Tue Dec 10, 2019 3:43 am


Yes, devices like Chromecast and printers don't support EAP.

I too in the past have wished for password based VLAN assignment without using RADIUS. In the end I have done it using the hotspot, CAPSMAN and some script fu - as in hotspot logins get put on their own VLAN. It works very well considering there is no RADIUS involved. Using hotspot of course implies there is no Wifi encryption (until WPA3 comes along).
Could you share the script? I have been looking for a solution to assign VLAN based on the hotspot login.
 
User avatar
eworm
Member
Member
Posts: 427
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Tue Dec 10, 2019 10:12 am

I use this script on a hotspot system: hotspot-to-wpa (add this with on-login=hotspot-to-wpa in hotspot profile)

The user has to connect to open network and authenticate to hotspot. An access-list entry for his device (mac address) is created, using the hotspot password for WPA passphrase. Not exactly what was requested, but perhaps some can use it or get some ideas.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
newhotelowner
just joined
Posts: 8
Joined: Wed Dec 04, 2019 4:10 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Wed Dec 11, 2019 12:06 am

Thanks eworm! This is very interesting. I think I can use it to assign the user to a VLAN.

Basically, I want user to be in the same VLAN as the chromecast, so they can cast the content in the hotel room TV.

I only want the guest to to access the chromecast in their room. The only way I can make this happen is if the guest and the chromecast are in the same VLAN.
 
User avatar
eworm
Member
Member
Posts: 427
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Wed Dec 11, 2019 2:09 pm

Well, you need to have an assignment from user to VLAN. You could use the username (available as $UserName) or a substring of it. So if user "1234" with password "secret" logs in you create an access list entry for VLAN 1234, user's mac address and his passphrase "secret". Alternatively you could get your VLAN from comments in "/ ip hotspot user"...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
newhotelowner
just joined
Posts: 8
Joined: Wed Dec 04, 2019 4:10 am

Re: Feature Request : Wireless Private Passphrase as a Match in Access-List

Thu Dec 12, 2019 1:10 am

After the user is logged in from the hotspot page, I update the access-list with the user's mac address and the VLAN.

Now, How do I force the user to reconnect so that the user gets the right VLAN?

Who is online

Users browsing this forum: No registered users and 37 guests