ePSK - Multiple Pre-Shared Keys

Wright-Fi · July 16, 2019, 4:57pm

Just in case you missed it cnMaestro Version 2.2.1 (Cloud and On-Premise), brings us a great new feature called ePSK. If you’re not familiar with ePSK it’s maybe because Cambium are too modest to toot their own trumpet so I’m going to do it for them.

In short ePSK gives each user a unique PSK (pre-shared key) when using WPA2-Personal, for me to explain why this is such a useful feature let me first explain the problem with using a shared PSK across the whole WLAN.

When a wireless client connects to an AP it completes a 4-Way handshake, this generates the encryption keys used to encrypt wireless traffic. For the 4-way handshake to work it is a requirement that both the client and AP know the passphrase, however the passphrase is never transmitted over the air thereby making this exchange reasonably secure.

But what happens when a 3rd party already knows the passphrase? It means they just need to capture the 4-way handshake to generate the encryption keys and decrypt your wireless traffic.

Have you ever been to a coffee shop, restaurant or hotel where everyone shares the same PSK for a guest network? Because the PSK is publicly shared your traffic can potentially by captured and decrypted.

ePSK gives each user a unique PSK, this means that no-one else knows your passphrase making the whole process much more secure.

Below is a screenshot from Wireshark, on the left ePSK is used so I couldn’t decrypt the traffic as I did not know the PSK and on the right I have been able to decrypt the traffic as a shared PSK was used:

If you’re ever deploying guest Wi-Fi and want to secure communications, ePSK is a great way to do it. But this can also be applied to other environments as well, for example in a small business without the skillset to operate a RADIUS Server they could utilise ePSK quite easily, giving them a more secure option than standard WPA2-PSK.

Using ePSK in cnMaestro is easy to do and mostly self-explanatory. It can be found under WLANS > “WLAN name” > ePSK

One nice feature is the ability to generate bulk PSKs which can be exported and distributed out to users as needed.

Another useful feature is the ability to assign different PSKs to different VLANs. For example, if your issuing a PSK to someone in the Finance Department they might be on VLAN20 but if your issuing a PSK to someone in the Sales Department they might be on VLAN30, all from one SSID.

Admittedly Cambium aren’t the first to introduce to introduce multiple PSKs, Ruckus and Aerohive have released similar features but in my experience their solutions are at a higher cost.

So credit where credit is due, this is a great feature that’s clearly been well thought out. Well done Cambium.

BenJ · July 17, 2019, 1:41am

This would be awesome for MDUs!

You can have a single SSID for an entire complex/site and create a PSK+VLAN for each unit, which would allow all of a resident's devices to be on the same LAN (Useful for things like Chromecast/Airplay), but isolated from their neighbours.

I was just reading Cambium's cnPilot MDU white paper the other day and they suggested some sort of RADIUS / captive portal system that would allow a user to "onboard" devices into some sort of account, which would be OK but would be especially clunky for IoT type devices where the user would have to figure out the MAC address for each one, login to some sort of portal and enter things in manually... Which just sounds like a 30+ minute tech support call to me.

Wright-Fi · July 17, 2019, 6:29am

@BenJ couldn’t agree with you more, MDUs is a perfect deployment scenario for ePSK. This feature really is a game changer.

wtrucci · July 17, 2019, 11:56am

Hi, lovely news! I love this great feature!
I tried to implement, but I have some questions on it:

- Can you limit on device number per key? You can use the same ePSK on multiple devices.
- When I use the ePSK all is fine, but on wireless client list I can see the device, but no "username" appear, so I don't know who and if someone using ePSK. What's wrong on my side?
- In ePSK management page, I can't find any search field :-(

Thanks!

csalint · July 17, 2019, 2:08pm

Hi,

This is exactly what I need in my project!

Started to test it already! But looks like I am missing something because I cannot connect to my WLAN with any device.

Can you help me, how to configure this function to make it work?

I set the Security to WPA2 Enterprise and generated some PSK. What else should I do?

Thanks in advance!

Wright-Fi · July 17, 2019, 6:06pm

@wtrucci wrote:
Hi, lovely news! I love this great feature!
I tried to implement, but I have some questions on it:
- Can you limit on device number per key? You can use the same ePSK on multiple devices.
- When I use the ePSK all is fine, but on wireless client list I can see the device, but no "username" appear, so I don't know who and if someone using ePSK. What's wrong on my side?
- In ePSK management page, I can't find any search field :-(
Thanks!

I don't believe you can limit the number of users per ePSK, if you don't mind I'll add this as an idea as I can see how that would be useful.

I'm also not getting a user name appear in the WLAN Clients page.

You can however search user name from the ePSK management page, you just need to click the little funnel icon.

Wright-Fi · July 17, 2019, 6:19pm

@csalint wrote:
Hi,
This is exactly what I need in my project!
Started to test it already! But looks like I am missing something because I cannot connect to my WLAN with any device.

Can you help me, how to configure this function to make it work?
I set the Security to WPA2 Enterprise and generated some PSK. What else should I do?

Thanks in advance!

Can you change the security to WPA2 Pre-shared Key and try again?

wtrucci · July 18, 2019, 6:10am

Don’t worry and thanks for your answers.
I’m new on Cambium.
I think without username in client list and limit on devices, ePSK is not so complete.
Please add to ideas if you can!
Thanks.

csalint · July 18, 2019, 7:44am

Thanks for your reply!

I tried but this way nothing forces me (and there is no opportunity) to use username. Do I need to enable ePSK function somewhere?

Can you send me (and for other dummies) a step-by-step guide?

Thank you!

Wright-Fi · July 18, 2019, 8:36am

@csalint wrote:
Thanks for your reply!

I tried but this way nothing forces me (and there is no opportunity) to use username. Do I need to enable ePSK function somewhere?
Can you send me (and for other dummies) a step-by-step guide?
Thank you!

Sure thing here is my working config:

Add a new WLAN. Set the "Name" and "SSID". Set the Security to WPA2 Pre-Shared Key and change the default password. Click Save.

Click "ePSK" and click "Add New". Enter a User Name and Passphrase (MAC Address and VLAN is optional). Click Save and click Save again.

When you connect to the WLAN, you should enter your ePSK passphrase (there is no need to enter a username).

NOTE 1: If you don't enter a passphrase one will be generated for you by cnMaestro.

NOTE 2: The AP used is on version 3.11-r9

I hope that helps, please let me know if you get stuck.

csalint · July 18, 2019, 8:59am

Thank you very much! Now I can connect to the WLAN.

However, I agree that the client statistics would be nice with user names.

Thanks again, have a nice day!

csalint · July 19, 2019, 12:01pm

Hi,

New day, new question! :)

My problem now is that the user's MAC address doesn't show on the ePSK list there is only an N/A value.

How can I set it to show the connected devices' MAC address?

Képkivágás.PNG (4.93 KB)

Wright-Fi · July 19, 2019, 8:38pm

Hi csalint,

The purpose of the MAC address field is not to show the MAC address of a connected device. It’s purpose is to only allow the specified MAC address to connect when using that ePSK/passphrase. When generating the ePSK you can enter the allowed MAC address(es).

wtrucci · July 21, 2019, 7:55am

Hi, I think it's possible to insert only one MAC address per user.

Are you able to add more MAC addresses? If yes how?

Thanks

Wright-Fi · July 21, 2019, 4:16pm

Yes I believe that’s correct its just one MAC address per ePSK

csalint · July 22, 2019, 7:50am

Hi Wright-Fi and all,

I see, make sense..but sad at the same time because this means ePSK is a bit immature and not so useful yet.

Hope the username will be visible soon in the client table.

Until then, it's just like an uncontrollable token system..I mean if you don't want to fill in hundreds of MAC addresses one-by-one because obviously, you can not add them in bulk mode.

Thank you!

ComplitNetworks · July 22, 2019, 11:01am

Is it possible to create and delete ePSK with api's? Also in the cloud version? If not, when will it be possible in the cloud?

wtrucci · July 22, 2019, 4:06pm

Yes API are ready for ePSK

firefly · July 22, 2019, 10:17pm

one clarification: APIs are supported for ePSK in the on-premises version of cnMaestro now.

Cloud support for APIs is on the cnMaestro roadmap and whenever that is released (no public date yet) it will support ePSK APIs too.

chimeranzl · August 6, 2019, 9:48am

Agreed as above, username showing in column for ePSK clients would be considerably useful. Hoping this will be added soon for security reasons... (eg: identifying those who still have an ePSK loaded in - but perhaps shouldn't) as relying on the persons device name isn't really suitable enough (especially in the hospitality industry)

Also the ability to edit an ePSK entry would be convenient too.

Other than that - great this is released, good start as a very nice to have for many of our clients.