cancel
Showing results for 
Search instead for 
Did you mean: 

Lacking WLAN Features (Private PSKs, Per Client Queueing)

Lacking WLAN Features (Private PSKs, Per Client Queueing)

dfroe
New Contributor II
While trying to replace existing wireless infrastructure systems from other vendors, we get confronted with several particular features which not seem to exist in Extreme WiFi.

1. Private PSKs, local and with RADIUS backend.
Some vendors support individual WPA2 PSKs for each connecting MAC Address.
The wireless system has a list of allowed mac addresses together with a unique PSK for each address.
This way every client can have its own WPA PSK, i.e. when you want to lock out one specific client from your wireless system, you do not have to change the WPA PSK on all devices.
It also prevents users from connecting other end devices to the wireless network as every PSK is bound to a specific MAC.
This is very handy to improve management and security in wireless network with clients which do not support WPA enterprise. And it minimizes the administrative overhead for 802.1x in smaller environments.
Other vendors support private PSKs also with RADIUS backends for centralized management.
We often have Extreme WiFi together with NAC, so this would be a perfect combination.
In NAC one would have to maintain PSKs for end systems and WiFi AP must be able to derive actual PSK from RADIUS response.
Source: Workshop Slides from other vendor, cf. page 78.

Are there any ideas or plans how this could be implemented with Extreme WiFi?
For me the only way right now seems to establish WPA enterprise which is more complicated for system administrators.

2. Per Client Queueing
Especially for guest networks we have to ensure a fair traffic priorization between all connected clients. Most of the time we want to limit each client, have a defined total maximum bandwidth (for example internet uplink) and we want this bandwidth to be fairly distributed between all clients.
So let's say we have an asymmetric internet connection with 50 Mbps downstream and 10 Mbps upstream which we want to be fairly distributed to all connected clients.

The simpliest thing would be something like this:

177acd995e474cc79ad47ff601df73c4_RackMultipart20160517-104659-t3v0xh-320px-PCQ4_inline.png


Our aim is to share the bandwidth amongst all users, i.e. if only one user is connected he may consume all bandwidth, if two are connected each gets half the bandwidth and so on.

A more sophisticated approach would additionally limit each client to a specific bandwidth and further reduce that assigned bandwidth if more clients a requesting bandwidth than totally available.

177acd995e474cc79ad47ff601df73c4_RackMultipart20160517-35011-13do9cq-320px-PCQ3_inline.png


Illustration Source: Wiki Page

Are there any possibilities to achieve a similiar guaranteed fairly bandwidth distribution with Extreme WiFi?
A simple fixed rate limit does not work in real life since the actual per user bandwidth will depend on the current traffic/user situation.

We would be happy to get some brainstorming from Extreme community how you would handle these requirements. Or to definitely get the answer that it's simply not possible. When designind networks it is also important to know your limits.

Best regards, and looking forward to your ideas
David
6 REPLIES 6

dfroe
New Contributor II
You'd create a NAC local user/pw repository for PEAP and also add the MACs to the database.
In that case you don't need any other external DB/devices and you'd do a lot more with NAC&roles.
The only difference is that the private key feature will allow also older clients that don't support 802.1X.
Well, that implies the more complex setup of 802.1x in smaller environment. You need a server certificate signed by a trusted ca to avoid warnings on client side, or you have to enroll an own pki and deploy the root ca on all clients, or you have to disable server certificate check on clients. This actually is a show stopper for smaller customers, especially those who are used to have private PSKs. And of course it requires 802.1x configuration on client side.
And even if I'd go with 802.1x, how could I ensure that a particular user/password combination (which would be the equivalent to the PSK) can only be used on a certain end device (mac address)? As far as I know you cannot bind users in local password repository in nac to mac addresses. So for each end device you would have to create a end device group (containing the mac), a user group (containing the username) and a NAC rule joining them. That might be a nice theoretical proof of concept, but every sysadmin will chase you away if you demonstrate such a setup.  Maintaining such a system would be impossible as you have to properly keep track of several objects for each single client.

Life is soo much easier with private PSKs.
You add a end system (mac address) in NAC and let's say as Custom1 attribute you assign an individual PSK to that particular end system. And when responding to a WiFi MAC authentication NAC simply returns a RADIUS attribute with Custom1 back to EWC which in turn uses this value as PSK for that client.
That's it. No need for any NAC rules or groups for every single client.
Don't be shocked, but this thread in MT forum is actually 8(!) years old.
Of course this isn't the right place for feature requests, but sometimes stepping 10 years behind can make you real headache when deploying WiFi in the field. 🙂

To sum it up the only maintanable "solution" would be sticking with 802.1x, local password repository and lacking real password-to-device binding. Could be okay for new setups, but obviously not for customers already knowing or even using private PSKs.
You'd search for "IAC box" - that is what I use in the meantime.
I've heard about it but did not actually use it yet. So it's more than just a RADIUS server, it can also act as a L3 device enforcing per-user traffic shaping? Simply returning a fixed traffic limit rate via RADIUS to EWC wouldn't be sufficient. Yep, could be a work around. But when thinking about setups with multiple sites, this would require placing a (hardware) IAC box as routing device to enforce shaping in every location? Hm, doesn't really scale.

Ronald_Dvorak
Honored Contributor
1) I'd use 802.1X PEAP.
"We often have Extreme WiFi together with NAC, so this would be a perfect combination."
You'd create a NAC local user/pw repository for PEAP and also add the MACs to the database.
In that case you don't need any other external DB/devices and you'd do a lot more with NAC&roles.

The only difference is that the private key feature will allow also older clients that don't support 802.1X.

2) Doesn't work with the controller but I also like to see that function.
You'd search for "IAC box" - that is what I use in the meantime.
GTM-P2G8KFN