Community discussions

MikroTik App
 
hutsch
just joined
Topic Author
Posts: 8
Joined: Fri Apr 30, 2010 1:45 pm

DPSK/PPSK individual PSK without preconfig

Tue May 05, 2020 11:37 am

Hi!

First of all yes, i know there has been a thread about that subject before. Although it has been marked [SOLVED] i disagree because the subject has not been solved so pls excuse me for reopening that subject.

We are heavily using the feature of having individual keys for each device by preconfiguring the MAC and associated PSK locally or on user manager (RADIUS) for many years now and at many customers. Works fine. Disadvantage (guess what) ist that the MAC-Address has to be determined and registered upfront.

Question:

When will it be possible at Mikrotik to preconfigure some (randomly generated) PSK without having to pre-register the MAC. Like the way manuf. like Aerohive do.
Having a list of some preconfigured PSK and handing out single keys to e.g. guests where the device (MAC-Address) will be associated with the PSK at the time the guest uses the key for the first time.

@Mikrotik: is there any known roadmap? will there be some feature like this or something simlar? Or: did i miss something and has it already been implemented and is usable?

Many thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: DPSK/PPSK individual PSK without preconfig

Tue May 05, 2020 2:25 pm

You can use WPA2-EAP with anon_id+username+password and authenticate them in a RADIUS server.
So you can assign new devices a username which does not have to be a MAC address.
This has been implemented since a couple of years and we use it all the time (at first it was only implemented on the AP side but then it was implemented for clients)

AP:
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap eap-methods=eap-tls,passthrough mode=dynamic-keys

Client:
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap eap-methods=peap mode=dynamic-keys mschapv2-password=yourpassword mschapv2-username=yourusername supplicant-identity=youridentity tls-mode=dont-verify-certificate
 
newhotelowner
just joined
Posts: 9
Joined: Wed Dec 04, 2019 4:10 am

Re: DPSK/PPSK individual PSK without preconfig

Tue Jun 16, 2020 1:28 am

You can use WPA2-EAP with anon_id+username+password and authenticate them in a RADIUS server.
So you can assign new devices a username which does not have to be a MAC address.
DPSK/PPSK can be used with any kind of client (Windows, Android, Printer, iOS, chromecase).

How do you assign a username to a client?

Can you provide more details?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: DPSK/PPSK individual PSK without preconfig

Tue Jun 16, 2020 11:08 am

You can use WPA2-EAP with anon_id+username+password and authenticate them in a RADIUS server.
So you can assign new devices a username which does not have to be a MAC address.
DPSK/PPSK can be used with any kind of client (Windows, Android, Printer, iOS, chromecase).

How do you assign a username to a client?

Can you provide more details?
The usual clients (PC, Mac, Phones, tablets etc) will present 2 input fields for username and password when you connect them to an AP that is configured as above.
But there will always be devices that do not support it. (printers, simple IoT devices etc)

However you could configure 2 access methods on the same AP (with a different SSID) and have most devices connected with username/password and reserve the other one for the few devices that cannot do it.
 
olivier2831
Member
Member
Posts: 312
Joined: Fri Sep 08, 2017 6:53 pm

Re: DPSK/PPSK individual PSK without preconfig

Fri Nov 12, 2021 5:56 pm

However you could configure 2 access methods on the same AP (with a different SSID) and have most devices connected with username/password and reserve the other one for the few devices that cannot do it.
Can you specify a VLAN in which each device with an individual PSK would be allocated into ?
That would be a very convenient way to control the way 802.1X compliant and non-802.1X compliant devices would be connected together.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2307
Joined: Mon May 14, 2012 9:30 pm

Re: DPSK/PPSK individual PSK without preconfig

Sun Nov 14, 2021 4:42 pm

How about make a bunch of random keys and add it to the ACL. If a client used that password... It should allow the connection.

From there I guess you would want to try to capture the Mac somehow to put it FOR THAT KEY in the ACL.

But as long as I have 2014 radio performance from Mikrotik wireless... I am not really willing to "develope" anything else specific to caps-man.
 
PackElend
Member Candidate
Member Candidate
Posts: 273
Joined: Tue Sep 29, 2020 6:05 pm

Re: DPSK/PPSK individual PSK without preconfig

Sun Jan 02, 2022 11:12 pm

could that be a solution that a Chromecast or any other smart devices that are not EAP-capable to be added to the VLAN of the owner of a specific device automatically so that the administrator does not have to do this manually. The only way I can see to make this happen is to use PPSK but what would be the next step?

Who is online

Users browsing this forum: maigonis and 14 guests