Individual PSKs (for each device) but same SSID/VNS

  • 0
  • 1
  • Question
  • Updated 1 day ago

LANCOM invented an interesting feature to assign each device its own PSK. The biggest disadvantage of (current) PSK is that every device knows the centralized PSK (what if the PSK gets leaked?). Some weird devices do not work well with 802.1x. A middle way would be to assign each device its own PSK, therefore each device can be placed in a different VLAN and can be individually denied access to the corporate Wifi (without touching the others).

 

LANCOM invented such a feature lately (could you implement such a feature for legacy devices as well?):

LANCOM Enhanced Passphrase Security Users (LEPS-U) allows a set of passphrases to be configured and assigned to individual users or groups. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually.

This is useful for onboarding devices into the network. For example, a network operator "onboarding" multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. The preshared key is used to map each user to a VLAN, thus automatically assigning them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, which assures full compatibility to third-party products.

The security issue presented by global passphrases is fundamentally remedied by LEPS-U. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should "get lost" or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.

 

https://www.lancom-systems.de/docs/LCOS-Addendum/10.20-RC1/EN/topics/LEPS-U.html


Photo of Andreas K.

Andreas K.

  • 180 Points 100 badge 2x thumb

Posted 1 week ago

  • 0
  • 1
Photo of Tomasz

Tomasz

  • 1,642 Points 1k badge 2x thumb
Hi Andreas,

Just a quick peek in the morning, I might be wrong, but if you want to define PSK for each device, you can define VLAN for each MAC as well. It could be done with ACLs or with RADIUS as Mac Authentication Bypass mechanism. No 802.1X between supplicant and authenticator then, no need for any passphrase as well. Not good as a standalone mechanism when we think about MAC spoofing, NAC and other mechanisms are needed. But PSK for device I would consider as same secure.
Change my mind. ;)

Kind regards,
Tomasz
Photo of Andreas K.

Andreas K.

  • 180 Points 100 badge 2x thumb

ok, MAC based Auth. can be used to divide the devices into VLANs as well.

When you use the same PSK and that gets compromised, someone can decrypt the data sent with other devices and someone can spoof the MAC to access the wifi as well. As far as I know, NAC needs a client installed on the device. When a device gets stolen, the device can be securely denied (by deleting the individual PSK for that device). The individual PSK feature can be implemented on the controller, no other server (e.g. radius) is needed (that can fail).

Concerning legacy device, I speak about Android devices, handhelds, some WinCE device (old stuff) and so on.

I think that 802.1x (probably with NAC) is the most secure way (and should be used for Laptops with Windows installed), but individual PSK is more secure than the same PSK for all and MAC Auth.

Why just having this feature implemented as well and let the customer decide, what he uses?

The benefit of WPA2-PSK is that every device supports that (and every device was probably tested in a long term manner), no further servers and so on is needed (except wifi infrastructure: APs and maybe a controller), but when the PSK gets leaked, someone has to change all the PSKs on all the remaining devices (the benefit of 802.1x and MAC Auth.). Individual PSKs would combine the benefits of both solutions.
Photo of Tomasz

Tomasz

  • 1,526 Points 1k badge 2x thumb
Hi Andreas,

I was thinking long time how to write my thought upon this topic concisely, but to keep all that can matter. Sorry if it got too long...
Maybe I've started from wrong starting point. I think we both shouldn't cover only single particular scenarios and try to prove which technique is superior to others. PSK, WPA2-Enterprise, open network, 802.1X and other security approaches are just tools, some of them are welcome in particular scenarios, while others are not. That's why your question:

Why just having this feature implemented as well and let the customer decide, what he uses?

is quite reasonable and I agree with you.
However, let me think of it a little more do we really need per-device PSK. ;)

I would divide the risk in three pieces: risk of reaching the network, risk of listening to a particular conversation and risk of spoofing the device (MAC).

If you have single PSK that is right, your entire traffic can be blown out and MAC spoofing is nearby. Reaching the network is obvious.
In that case you might want (depending on budget and security policy) to use other techniques in addition to stay away of MAC spoofing risk and take care of achieving security with higher layers of communications for critical applications. In terms of unauthorized access to the network, MAC whitelist and blacklist can work along with ACLs or similar techniques, but will still not help with MAC spoofing without even more advanced device recognition techniques...

If there is more of security concerns, I would rather move to 802.1X credentials-based (not necessarily certificates). Unauthorized access can be still there (if someone gets your personal AD login/pass), traffic sniffing is rather difficult, but there's still a risk of spoofing the device (take a look here: https://hackinparis.com/data/slides/2017/2017_Legrand_Valerian_802.1x_Network_Access_Control_and_Byp... ). So for greater security 802.1X can still be not enough! It is nice however, because it can give you easy to maintain role-based access control scenario and with NAC or other stuff (like web authentication on switches) you can still ask the user repository of a particular user without having his device supporting 802.1X - of course security drops down a little). BTW, NAC doesn't necessarily require any client installed on a device.

Individual PSK is something between PSK and 802.1X IMO. If someone gets the credentials (but also have to spoof the MAC, if we compare to plain PSK without any additional things like MAC whitelist) it can reach the network, it could also compromise that device conversation. You also have to generate and distribute those PSKs what sounds almost like certificate-based 802.1X (agreed, certificates are way more complex to deploy and maintain). When it comes to guest users, that's reasonable; when you have big company and would like to use that instead of 802.1X - I simply don't see a good reason right now, maybe if someone doesn't have money or permission to deploy AD+NPS or FreeRADIUS or else what would give you many other features alongside. It's more probable with really small companies (European-sized small companies, to be clear ;) but then often Extreme might seem to be just too expensive), bigger ones usually have some virtualization space and Windows Small Business Server at least so they are good to go for 802.1X. Could you please provide some use-case scenarios?

Most importantly, with any security mechanism there is a risk that a stolen device can be reported after hours or even days after something has happened so manual intervention can be late, depending on the situation (especially if it really has to be manual, and the only admin is on a day off). But stolen credentials (without stealing a device!) can be found out even later, if it's just about decrypting the target's traffic (no spoofing, no advanced device fingerprinting techniques in the network to detect spoofing). With 802.1X as far as I know even having the user credentials is not enough to see his traffic unencrypted on wireless. If that individual PSK would create per-session keys that would be hard to decrypt on-the-fly, it would be nice as easier to deploy with simple and small networks without all that 802.1X infrastructure (and without granular role-based access control, until there would be an option to apply not only PSK to each device but also some ACLs, VLANs and so on).

Have in mind, there are other risks like looking at the traffic after it reaches the wired network, using rogue APs and so on... PSK or whatever is just about securing the wireless communication. So eventually, I believe the attacker might have a lot of time to do what he wants regardless the security technique (PSK/individual PSK/802.1X); because of this, none of those is enough for enterprise security if used as the only building block. Each company should have it's own security policy that takes all the possible factors into account to find a reasonable balance between low cost/comfort of use and critical data/infrastructure security.

Thanks for the topic as it's always good to see some nice features that other vendors have, perhaps Extreme will take that into account, between working on 11ax and WPA3 which is mostly desired right now I believe. ;)

By the way, what tools or techniques you guys find good for detecting MAC spoofing (on wired/wireless) and credentials (individual PSK, 802.1X) reuse? Only SIEM? Posture assessment?

Kind regards,
Tomasz
(Edited)
Photo of James A

James A, Embassador

  • 7,204 Points 5k badge 2x thumb
Your points are all valid, except they don't account for devices that don't do 802.1X, they only support PSK.
Photo of Tomasz

Tomasz

  • 1,526 Points 1k badge 2x thumb
You're right, at some moments I was thinking on 802.1X just from authentication side, sorry for that. Then, I hope Extreme will take care of it along with WPA3 implementation.

Photo of Andreas K.

Andreas K.

  • 180 Points 100 badge 2x thumb

For me this feature is dedicated for legacy devices who are only capable (or work best with) PSK. A central PSK on the other hand is a huge risk as soon as the key gets leaked.

For me, individual PSK combines the advantages of both (centralized PSK and 802.1x) with slightly less security than compared to 802.1x.
* easy configuration (no extra radius server, everything configured on controller/AP) and less complexity (only controller and APs must work, not external server needed etc.)
* the device uses it’s known PSK mechanism (it does not see any difference to centralized PSK)
when the administrator wants to get rid of a device, he simply deletes it’s PSK.
* divide each device in different VLANs (per device like authentication)

The use case for me is to set up a new VNS for all these legacy devices (only WPA2-PSK is supported) and configure individual PSKs for each of them. The devices will work best and the administrator has more tools to get rid of one of them. Domain-joined Windows devices are still handled by another VNS which uses 802.1x with certificates.

Photo of James A

James A, Embassador

  • 7,236 Points 5k badge 2x thumb
Yeah, other vendors have DPSK, PPSK, or even PSK sent by the RADIUS server. It's a nice feature. WPA3 will mitigate some of the issues with other devices being able to decrypt data, although it's no use for legacy devices of course.
Photo of M.Nees

M.Nees, Embassador

  • 9,538 Points 5k badge 2x thumb
I think Individual or Private PSK will be very useful in some environments. And would make the Identify WLAN Solution one piece more complete. I am personaly need that in some school projects.

But especially this kind of projects are not the huge money makers ...

2 years ago we also discusse that topic here:
https://community.extremenetworks.com/extreme/topics/lacking-wlan-features-private-psks-per-client-q...

If some aski i vote that feature!
Photo of M.Nees

M.Nees, Embassador

  • 9,538 Points 5k badge 2x thumb
Is WING able to handle that ??