Mpsk Wifi
Angelique Syria
Wireless clients can be authenticated using MAC authentication and Multi Pre-Shared Key (MPSK) against a RADIUS server. The MPSK passphrases can be dynamically passed from the RADIUS server when the client MAC is authenticated by the RADIUS server, instead of statically storing them on the FortiGate. The passphases are cached on the FortiGate for future authentication, with a timeout period configured for each VAP.
The user registers to the RADIUS server, where the client MAC is stored and a passphrase is generated for the user device or group. When the user connects to the FortiAP SSID using WPA-Personal, the FortiGate wireless controller dynamically authenticates the device with its client MAC address, using RADIUS based MAC authentication. The RADIUS server returns a Tunnel-Password for that user device or group. If the client provided a passphrase that matches the Tunnel-Password, the client will successfully authenticate to the SSID, and be placed into a VLAN if one was specified.
In the first example, the client connects to the SSID wifi-ssid.fap.01 in tunnel mode, so the MPSK key is cached on the FortiGate. In the second example, the client connects to the SSID wifi-ssid.fap.02 in bridging mode, so the MPSK key is cached on the FortiAP.
The static passphrase is a dummy passphrase that should have enough complexity that it cannot be guessed. It can be used by the wireless client connect, but is not required as this solution uses dynamic passphrases that are stored on the RADIUS server.
Dynamic VLAN is not configured on either of the VAPs, so the FortiGate does not use the VLAN passed by the RADIUS server, but still caches it. Consequently, the cache and station statistics show different VLAN IDs.
The Allen School physical network is intended solely for research and instructional need in Computer Science and Engineering, and is restricted to use by faculty, staff, and students in the Allen School. Access to the UW-wide wireless network ('UniversityofWashington' SSID) is available in the Paul G. Allen Center, Sieg Hall, and the Bill & Melinda Gates Center building. CSE also maintains a private limited wireless network for specialized research only, access to which is granted by request.
Although most devices will redirect your browser to authenticate and register, you can opt to manually register (or manage existing registrations) via the following UW IT URL: -networks/campus-wi-fi/manual-wifi-reg/
Connection of computing devices to the School's wired network requires prior registration. To start the process, please complete this form. If UW-owned (vs. a personal device), you will need to provide the tag number before we can set up networking for the device.
The UW MPSK network is an encrypted Wi-Fi network available at the UW using private IP address space and is available at UW Campuses, UW Facilities and soon at UW Medical Centers. It is the recommended Wi-Fi connection method for IoT Devices, TVs or game consoles that require a Pre-Shared Key Wi-Fi network. For more information, see the UW MPSK page.
The University of Washington has guidelines for appropriate use of its computer networks and resources, and you are agreeing to abide by them as a condition of your connection to the UW or CSE networks.
The department does not allow private routers serving unrestricted DHCP to be connected to the CSE network. If you have questions about connecting such a device to the CSE network, please contact CSE Support.
Undergraduate Advising: ugrad-adviser at cs.washington.edu
Undergraduate Outreach & Recruitment: outreach at cs.washington.edu
Professional Master's Program Advising: masters at cs.washington.edu
Graduate (Ph.D.) Advising: grad-advising at cs.washington.edu
To support multiple PSKs on a single SSID the AP will expand the 4-way handshake to allow the MIC to be checked against all of the passphrases in the MPSK-profile pool for a particular SSID. If the calculated MIC matches one in the pool it will continue the keying process and will be allowed onto the network.
Thank you so much for the post.
The only thing I was not getting was to associate a role with a pass phrase, just enter the role name after the password. (mpsk-local-passphrase pass 12345678 role1)
Is there a way to change this so users can set the MPSK when creating the device or view the MPSK in the GUI Receipt? I've added mpsk and mpsk_enable fields to my mac_create and mac_trac_create forms, but that doesn't help any.
I've managed to import devices and their individual PSKs and that works on the Wi-Fi. But I'm having trouble visualizing the PSK per device using the print template "Device Registration". The Wi-Fi password is not shown when the device was created with CSV import. However, when I create the device through the GUI (button "Create"), the print template shows the Wi-Fi password just fine.
You CAN actually view passwords once they are created, and export them as well. You need to enable "Password Display" under Guest Manager. Then add the MPSK field to your mac_list and mac_export fields. This will allow a super admin to view and export device lists with Wi-Fi passwords.
I was looking for devices that supported Private PreShared Keys (PPSK) which allow a single access point to be broadcasted and depending on the preshared key used i.e password for the WiFi then it will assign various privileges.
Also a lot of write ups seem to use Central to configure MPSK which is a cloud paid for management software. That does provide a user interface to create MPSK. What I wanted to do was use the virtual local controller to do it so that way it does not cost any money and still get this awesome feature.
Create a MPSK network. The name of the network will appear in the web interface under Configuration > Networks. My example, I will call this mpsk.
wlan mpsk-local mpsk
You should keep the quotes but replace everything inside the brackets including the brackets. For iot, I will create a MPSK profile called iot-mpsk-profile with myiotpassword as the password tied to the role iot that was created earlier.
mpsk-local-passphrase iot-mpsk-profile "myiotpassword" "iot"
Press enter to send the command. Now for the rest of the MPSK profiles:
mpsk-local-passphrase myfamily-mpsk-profile "mymyfamilypassowrd" "myfamily"
mpsk-local-passphrase guests-mpsk-profile "myguestpassowrd" "guests"
The network should be setup and broadcasting the wireless network now. You can confirm this by going to Configuration > Networks and it should appear in the list. Also check those commands above appear in the raw configuration Maintenance > Configuration.
This is a really cool feature that is not as secure as WPA enterprise but a lot slicker that plain old pre-shared keys. You reduce the number of wireless networks being broadcasted and use the roles to segregate the network.
Many wifi-enabled devices intendet for home-users do not support 802.1x authentication. Some of those are increasingly used in enterprise wifi environments - be it universities, dormitories, or regular businesses with some nice shiny piece of IOT capable of wpa2-psk only. Some vendors solved this problem by implementing a proprietary authentication method to give each device a unique WPA2 preshared-key based on the mac address of the device, even allowing the use of a radius server to store these identities. Contrary to 802.1x (EAPOL) Authentication, both the client and ap need to be in possession of the correct PSK to associate and complete a 4-Way handshake. Therefore, the AP needs to know the exact PSK the client will use to connect. Some vendors store this information in the controllers or aps itself, others consult a radius server using the mac address of the client to retrieve the key. Another drawback of any private/multiple-PSK solution is that the PSK cannot be stored in a one-way hashed form, but needs to be available in plaintext.
Aruba recently caught up to other wifi vendors in offering a form of "private PSK" called mPSK (multiple PSK). It is advertised to be only usable using the Clearpass Policy Manager, however, it is implemented using the vendor specific radius attribute "Aruba-MPSK-Passphrase", and also works with freeradius (provided it is new enough). For details on this, see the entry on v0ttis wiki:Using Aruba MPSK with FreeRadius
4a15465005