Multiple PSK: A Mechanism for Per-Device Access Control of Wi-Fi Networks
By Simon Lok On 12/18/2023
Multiple PSK is a useful mechanism for per-device access control of Wi-Fi networks. Most multiple PSK systems are designed to use the wireless controller or cloud service as the source of truth for all credentials. In some cases, it is superior to use external credential databases for multiple PSK. One would think that this would be a simple matter of transmitting the requested SSID and passphrase to a RADIUS server. This is not workable, given the design of WPA2. In this article we discuss how multiple PSK works with credential databases that are distinct from the wireless controller.
The WPA PSK Wi-Fi security method, which uses a shared passphrase for all devices, is suitable for networks managed by a single entity with good device security. If a device is lost, the only way to secure the network is to change the PSK, requiring all devices to be updated, a cumbersome task especially with many devices.
Multiple PSK technology, initially designed for per-device control of Wi-Fi networks, was a necessity before its introduction. Previously, WPA2 Enterprise, which uses certificates for device security, was required. Multiple PSK systems typically have a controller table mapping MAC addresses, passphrases, and VLANs for a specific SSID.
If a device with MAC address de:ad:04:20:be:ef is lost, its row is simply removed from the table. This allows for individual device access revocation without affecting others, providing a cost-effective alternative to WPA2 Enterprise architecture. The multiple PSK approach is universally compatible, unlike WPA2 Enterprise which is only supported by a subset of devices.
The MAC address in the table might seem redundant, as one could assume that revoking an individual passphrase assigned to a single device would suffice. However, if the same PSK were used on multiple devices, revoking it would disconnect all those devices from the network.
While multiple PSK Wi-Fi systems allow the use of several passphrases on the same SSID without tying them to a specific MAC, this functionality is often limited. A larger table of passphrases can be used if each is bound to a unique MAC address.
The scalability constraints stem from the WPA2 4-way handshake. The passphrase is known to both sides and isn't transferred over the air. Instead, random numbers are exchanged and multiple rounds of cryptographic hashing are performed. This process is time-consuming due to the low-performance processors in most Wi-Fi access points, which can only perform this computation a few dozen times per second.
Linking a passphrase to a specific MAC allows the hashing rounds to be computed once, verifying the passphrase's correctness. Without this link, the system must hash for every configured passphrase, which can overwhelm the computational power and cause timeouts. Therefore, mapping passphrases to MACs significantly enhances the scalability of multiple PSK Wi-Fi systems.
Sometimes, an external device may manage passphrases for scalability and centralized management in an enterprise network. For instance, a corporation with multiple locations may want a central database of all network-approved devices. If Wi-Fi system controllers are on individual premises, a centralized database of allowed passphrases and potential MAC-to-VLAN mappings would be an appropriate architecture.
Two common methods exist for syncing a centralized passphrase database with a multiple PSK Wi-Fi system. One is using an API to update the passphrase data on the Wi-Fi system, automated by the central system whenever the device database changes. This capability is available in multiple PSK Wi-Fi systems from Aruba, Cambium, Juniper, and Ruckus.
The alternative is real-time passphrase checking using an external system. Most Wi-Fi systems function as a RADIUS Network Access Server (NAS) that queries a RADIUS Server for centralized AAA. However, forwarding the client-provided passphrase from the RADIUS NAS to the RADIUS Server is impossible as the client never sends the passphrase to the RADIUS NAS. Thus, the 4-way handshake must be manipulated and interrupted.
Consider the the messages of the 4-way handshake:
The ANonce and SNonce are random numbers, while the Message Integrity Check [MIC] is a checksum and sequence number preventing replay attacks. The Group Transient Key [GTK] encrypts broadcast and multicast traffic, and the final message is an acknowledgment. Notably, the Pairwise Transient Key [PTK], which encrypts all unicast traffic, is never transmitted between the client and the Wi-Fi system.
Now consider the sequence of the calculations and the PTK in the 4-way handshake:
The PTK calculation relies on the Passphrase, ANonce, SNonce, AP MAC address, and client MAC address. The client computes the PTK before sending the second message of the 4-way handshake, and the Wi-Fi system does the same before sending the third message.
Multiple PSK Wi-Fi systems interrupt the 4-way handshake after the second message to perform a RADIUS transaction before the third message. Interrupting at this point is ideal because the Wi-Fi system must know the passphrase (or a computational derivative like the PMK) to proceed with the 4-way handshake as intended.
Adtran Bluesocket, Cambium cnMaestro, Cisco 9800, Juniper Mist, Ruckus SmartZone, and ZoneDirector can all operate as described earlier. The RADIUS Access-Request must contain the ANonce, SNonce, AP MAC address, and client MAC address. The message format sent to the RADIUS server varies by vendor. Some send the entire second message of the 4-way handshake, while others send its individual components in a parsable data structure. All four pieces of information are necessary for the AAA server to find a matching passphrase.
The AAA server responds with a RADIUS Access-Accept message containing the information needed to complete the 4-way handshake. The reply's contents vary based on the Wi-Fi system's manufacturer. Generally, the system needs to compute the PTK, so the AAA server must reply with the Passphrase or an intermediate computation like the PMK.
The passphrase search is time-consuming due to the 4-way handshake design. The Wi-Fi system typically times out the handshake during the RADIUS messaging with the AAA server and attempts to restart it. The system then completes the handshake using the passphrase or computational derivative provided by the AAA server in the RADIUS Access-Accept.
It is important to note that the AAA systems that are capable of performing these calculations are only a small fraction of the set of all RADIUS servers in existence. RUCKUS, RG Nets, and Eleven Systems are vendors known to have built AAA servers that perform this function with varying degrees of compatibility to wireless equipment manufacturers.
Tagged with: cwnp, wireless networks, multiple psk, wi-fi
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.