Security

hello Airheads,

got a customer who wants to deploy MPSK solution with username and password.

They have 6.10 Clearpass and Aruba Central.

i just wondered whether anyone has done this ?

we are at the proof of concept stage and are looking at best options for a test lab.

802.1x is one but they have asked for guidance on the MPSK question.

cheers

Pete

Hi Pete

I would say it's not possible to do, or maybe I don't understand what and how they would like to implement this.

PSK/MPSK is one type of authentication where you just sends the PSK, and in the case of MPSK the key is different depending on device.

802.1x is another type of authentication where you send a certificate or a username and password. The can't be active on the same SSID.

The only thing I can figure out is to combine the MPSK with a captive portal where the user does a normal web login. Quite unusual and maybe not so user friendly.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization.  In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.

In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID. 

Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved. 

------------------------------
Michael Haring
Sr. Network and Communications Expert
Lehigh Valley Health Network
------------------------------

thnaks for getting back Jonas and Michael,

i probably should have explained better, it a bit of a rushed posting apologies,

The customer wants to have 2 x test set up SSID's.

1. 802.1x ssid (PEAP MSCHV2)
2. MPSK ssid , they want to give new students a set of AD credentials  (username and password) and test a guest welcome page with  username and password backed off to AD and an MPSK solution.
3. Thet want to test both solutions to see the best fit. I suggested the 802.1x route but they want to test both ideas. i've not done an MPSK solution before.
4. cheers
5. Pete

Original Message:
Sent: Nov 16, 2023 11:16 AM
From: mharing
Subject: MPSK with user auth

Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization.  In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.

In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID. 

Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved. 

------------------------------
Michael Haring
Sr. Network and Communications Expert
Lehigh Valley Health Network
------------------------------

I think their best option will be individual credentials per user, with MPSK, you need to define each MAC address with which key it's expecting. What that means is the administrator will need to know every MAC connecting with the key(s) and when students get new devices it's a constant process, a lot of administrative overhead. Whereas an account allows multiple devices to connect regardless of MAC. If you want to remove a single device from the network, with MPSK you remove the MAC from the policy, with AD credentials, they can be on multiple devices, but you can still blacklist or disallow certain MACs in your policy. 

------------------------------
Michael Haring
------------------------------

Original Message:
Sent: Nov 20, 2023 07:04 AM
From: peter elms
Subject: MPSK with user auth

thnaks for getting back Jonas and Michael,

i probably should have explained better, it a bit of a rushed posting apologies,

The customer wants to have 2 x test set up SSID's.

1. 802.1x ssid (PEAP MSCHV2)
2. MPSK ssid , they want to give new students a set of AD credentials  (username and password) and test a guest welcome page with  username and password backed off to AD and an MPSK solution.
3. Thet want to test both solutions to see the best fit. I suggested the 802.1x route but they want to test both ideas. i've not done an MPSK solution before.
4. cheers
5. Pete

Original Message:
Sent: Nov 16, 2023 11:16 AM
From: mharing
Subject: MPSK with user auth

Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization.  In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.

In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID. 

Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved. 

------------------------------
Michael Haring
Sr. Network and Communications Expert
Lehigh Valley Health Network