Extreme Networks

Andreas_K_ · ‎10-09-2018

LANCOM invented an interesting feature to assign each device its own PSK. The biggest disadvantage of (current) PSK is that every device knows the centralized PSK (what if the PSK gets leaked?). Some weird devices do not work well with 802.1x. A middle way would be to assign each device its own PSK, therefore each device can be placed in a different VLAN and can be individually denied access to the corporate Wifi (without touching the others).

LANCOM invented such a feature lately (could you implement such a feature for legacy devices as well?):

LANCOM Enhanced Passphrase Security Users (LEPS-U) allows a set of passphrases to be configured and assigned to individual users or groups. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually.

This is useful for onboarding devices into the network. For example, a network operator "onboarding" multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. The preshared key is used to map each user to a VLAN, thus automatically assigning them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, which assures full compatibility to third-party products.

The security issue presented by global passphrases is fundamentally remedied by LEPS-U. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should "get lost" or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.

https://www.lancom-systems.de/docs/LCOS-Addendum/10.20-RC1/EN/topics/LEPS-U.html

M_Nees · ‎10-16-2018

Is WING able to handle that ??

M_Nees · ‎10-16-2018

I think Individual or Private PSK will be very useful in some environments. And would make the Identify WLAN Solution one piece more complete. I am personaly need that in some school projects.

But especially this kind of projects are not the huge money makers ...

2 years ago we also discusse that topic here:
https://community.extremenetworks.com/extreme/topics/lacking-wlan-features-private-psks-per-client-q...

If some aski i vote that feature!

James_A · ‎10-09-2018

Yeah, other vendors have DPSK, PPSK, or even PSK sent by the RADIUS server. It's a nice feature. WPA3 will mitigate some of the issues with other devices being able to decrypt data, although it's no use for legacy devices of course.

Andreas_K_ · ‎10-09-2018

For me this feature is dedicated for legacy devices who are only capable (or work best with) PSK. A central PSK on the other hand is a huge risk as soon as the key gets leaked.

For me, individual PSK combines the advantages of both (centralized PSK and 802.1x) with slightly less security than compared to 802.1x.
* easy configuration (no extra radius server, everything configured on controller/AP) and less complexity (only controller and APs must work, not external server needed etc.)
* the device uses it’s known PSK mechanism (it does not see any difference to centralized PSK)
when the administrator wants to get rid of a device, he simply deletes it’s PSK.
* divide each device in different VLANs (per device like authentication)

The use case for me is to set up a new VNS for all these legacy devices (only WPA2-PSK is supported) and configure individual PSKs for each of them. The devices will work best and the administrator has more tools to get rid of one of them. Domain-joined Windows devices are still handled by another VNS which uses 802.1x with certificates.

Extreme Networks

Individual PSKs (for each device) but same SSID/VNS

Individual PSKs (for each device) but same SSID/VNS