Security

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------

Hi Martin,

Aruba's MPSK is intended for IOT devices that do not support 802.1x. It works in combination with Aruba ClearPass where the PSK is instructed to the Aruba Controller based on a mac address pre-authentication. Each endpoint device can only connect with its own personal PSK. In-fact ClearPass will push the WPA2 key configuration to the controller what's only allowed for a specific client mac-address.

It is therefore not the case that the controller accepts different PSKs from one and the same endpoint device.

Aruba's MPSK is not intended to be used for guest devices because each mac-address must be registered. It is not useful if a guest user has to provide his mac address of which he has no knowledge. MPSK will never be an replacement for 802.1x capable devices, because 802.1x EAP-TLS is the holy grail in securing WiFi connections on this moment.

MPSK only works based on WPA-2 Personal. Because WPA-2 will always be sensitive to brute force attacks, it is wise to make passwords at least 12 characters long. WPA-3 will solve that issue but it takes some years before all IOT devices (old and new) wil support WPA-3. Yes WPA-3 is backwards compatible but that's also the weakness of the standard. WPA-3 will be only strong when backwards compatibility is disabled. And that's why MPSK is the best option fot IOT devices at this moment when they not support 802.1x or WPA-3.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Nov 15, 2020 08:52 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------

Thanks Marcel for your detail explanation. MPSK / MAC pair is a must for security enforcement. I want to believe that other vendors are doing the same. Regards

------------------------------
Martin Rodriguez
------------------------------

Original Message:
Sent: Nov 15, 2020 04:55 PM
From: marcel koedijk
Subject: MPSK - Security discussion

Hi Martin,

Aruba's MPSK is intended for IOT devices that do not support 802.1x. It works in combination with Aruba ClearPass where the PSK is instructed to the Aruba Controller based on a mac address pre-authentication. Each endpoint device can only connect with its own personal PSK. In-fact ClearPass will push the WPA2 key configuration to the controller what's only allowed for a specific client mac-address.

It is therefore not the case that the controller accepts different PSKs from one and the same endpoint device.

Aruba's MPSK is not intended to be used for guest devices because each mac-address must be registered. It is not useful if a guest user has to provide his mac address of which he has no knowledge. MPSK will never be an replacement for 802.1x capable devices, because 802.1x EAP-TLS is the holy grail in securing WiFi connections on this moment.

MPSK only works based on WPA-2 Personal. Because WPA-2 will always be sensitive to brute force attacks, it is wise to make passwords at least 12 characters long. WPA-3 will solve that issue but it takes some years before all IOT devices (old and new) wil support WPA-3. Yes WPA-3 is backwards compatible but that's also the weakness of the standard. WPA-3 will be only strong when backwards compatibility is disabled. And that's why MPSK is the best option fot IOT devices at this moment when they not support 802.1x or WPA-3.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 15, 2020 08:52 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------

Hi Martin.

16 chars or more would be my recommendation.
EAP-TLS would be the safest connection method.

I cannot see from your post if we are talking about AOS with controllers, Instant AP setup or with/without ClearPass.

MPSK was initially only possible with ClearPass Policy Manager.
MPSK local is posshbiel with IAP 8.7 software on the Aruba Access Points with some limitations.

Release Notes.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101270en_us

Anyway in regards to the general question of brute force, MPSK suffers as PSK do.

I would like to see my good options of certificate management, BYOD/MDM that could enable EAP-TLS for more devices.
Lot of IoT devices will not have a 802.1X supplicant so we still needs way to handle these.

------------------------------
Tom Roholm
------------------------------

Original Message:
Sent: Nov 15, 2020 08:52 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------

Hi Tom. I am talking in general for every vendor. I am reading about this in different RFP/RFQ. I agree that wifi auth is suffering from not very straight forward on boarding process, however ClearPass is covering most of the possibles on boarding process. Regards!

------------------------------
Martin Rodriguez
------------------------------

Original Message:
Sent: Nov 16, 2020 07:15 AM
From: Tom Roholm
Subject: MPSK - Security discussion

Hi Martin.

16 chars or more would be my recommendation.
EAP-TLS would be the safest connection method.

I cannot see from your post if we are talking about AOS with controllers, Instant AP setup or with/without ClearPass.

MPSK was initially only possible with ClearPass Policy Manager.
MPSK local is posshbiel with IAP 8.7 software on the Aruba Access Points with some limitations.

Release Notes.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101270en_us

Anyway in regards to the general question of brute force, MPSK suffers as PSK do.

I would like to see my good options of certificate management, BYOD/MDM that could enable EAP-TLS for more devices.
Lot of IoT devices will not have a 802.1X supplicant so we still needs way to handle these.

------------------------------
Tom Roholm

Original Message:
Sent: Nov 15, 2020 08:52 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------

Other vendors use MPSK in different ways. For example Aerohive have MPSK without checking the mac-address and don't need a external authentication server like Aruba ClearPass. What Aerohive's MPSK does, it's allow different PSK for the same SSID for all clients where "x" clients can use the MPSK what disappear after 24 hour (for example). This method could be consider as less secure as the Aruba's MPSK feature (what consider PSK and MAC), but it's still a nice feature to give guests a unique PSK for there guest access, such as a Starbucks or MacDonald. MPSK will always be better than a captive-portal without 802.11 encryption.

Also note we talk here about encryption on the 802.11 layer. Guest portals are basically always unsecure because it's not encrypted at the 802.11 layer and only a open 802.11 network with a DNS redirection, but still this can be secured by the application layers such as HTTPS/SSL/VPN for example. But that's another discussion ;).

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Nov 16, 2020 07:26 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi Tom. I am talking in general for every vendor. I am reading about this in different RFP/RFQ. I agree that wifi auth is suffering from not very straight forward on boarding process, however ClearPass is covering most of the possibles on boarding process. Regards!

------------------------------
Martin Rodriguez

Original Message:
Sent: Nov 16, 2020 07:15 AM
From: Tom Roholm
Subject: MPSK - Security discussion

Hi Martin.

16 chars or more would be my recommendation.
EAP-TLS would be the safest connection method.

I cannot see from your post if we are talking about AOS with controllers, Instant AP setup or with/without ClearPass.

MPSK was initially only possible with ClearPass Policy Manager.
MPSK local is posshbiel with IAP 8.7 software on the Aruba Access Points with some limitations.

Release Notes.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101270en_us

Anyway in regards to the general question of brute force, MPSK suffers as PSK do.

I would like to see my good options of certificate management, BYOD/MDM that could enable EAP-TLS for more devices.
Lot of IoT devices will not have a 802.1X supplicant so we still needs way to handle these.

------------------------------
Tom Roholm

Original Message:
Sent: Nov 15, 2020 08:52 AM
From: Martin Rodriguez
Subject: MPSK - Security discussion

Hi community. I hope I am using the right discussion group. I would like to discuss how this feature MPSK, DPSK, iPSK can be secure if we are assigning multiple PSK to the same SSID helping brute force attack in a way that maching the write password would be easier. I understand that a good 8 character long WPA2 password could be extremely hard to find, however my concern is that this is becoming a standar to increase security and an option to not implement 802.1x that many thinks is complex. I would like to know what am I missing and your opinion about this. Thanks!

------------------------------
Martin Rodriguez
------------------------------