Wifi ppsk mode

Can openwrt/lede support wifi ppsk mode,which means one wireless client use one pre-shared key via radius server,meanwhile others cannot use the same key?

802.1X with Radius, yes. Individual keying is up to the configuration of the RADIUS server and that is "standard practice" for many networks.

I'm not sure exactly what you're asking for though. It almost sounds like you might want PSK2 for some clients and 802.1X for other clients, all on the same SSID. That I've never run across or considered. If that is the kind of thing you're looking for, you might want to consider two SSIDs on the same AP(s), one running PSK2, the other running 802.1X. Seems like it would be much easier to configure and manage that way.

1 Like

Dear Jeff,
Thanks for replying me.I don't want to use multissid in my network,one wpa
2-psk another 802.1x eap.PPSK is short for private pre-shared key.Like psk mode,clients join it via a pre-share key.But the difference is that ppsk can make every client have its own psk.IF he is up in the ap,others can not use his key to join the ssid.So this authentation mode have both convenience and security.Many access point manufacturers like aruba,ruckus support this function.


I am not sure openwrt could provide the function like the following link .
yours sincerely.

Looks like this is a feature of hostapd in combination with a radius server...

Found this in hostapd.conf:

# Optionally, WPA passphrase can be received from RADIUS authentication server
# This requires macaddr_acl to be set to 2 (RADIUS)
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not include
#	Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
#	Tunnel-Password
#wpa_psk_radius=0

I´m not sure if this scenario could configured with uci, but with a self created hostapd.conf it should be possible.

The key -> device binding will be implemented with the mac address

2 Likes

Thanks.Let me have a try!It seems that I couldn't have it configured via luci.But this selection is able to solve my question.

It should be possible to use only hostapd for your scenario, because hostapd does include a integrated radius server implementation.

@yuanshan6666 Keep us updated if you will get it work, possibly this could be integrated in uci/luci...

Did you get it working? I have the same requirement for my network and Do not want to use WPA-Etnerprise as I will be connecting IoT Devices and Gaming Consoles which do not support WPA-Enterprise.

any luck here? Do we or Dont we support PPSK in openWRT?

What about EAP-PWD (RFC5931)? Would this be of any help?

I think it is already available in OpenWRT now.

CISCO implemented this some time ago as a new feature in their WLAN Products
Identity PSK Feature Deployment Guide

Hi!
I have push 2 PRs that would let you use PPSK:
Base: https://github.com/openwrt/openwrt/pull/3509
Web interface change: https://github.com/openwrt/luci/pull/4513

3 Likes

I was able to successfully test the PR.
Currently the dynamic VLANs on OpenWRT do not work for me (RAIDUS is OK), but this could be a problem with Ath10k.



In the OpenWRT log I currently only see "RADIUS: starting accounting session", but no "RADIUS: VLAN ID ...".

Hi @christian1982, I am glad you tried.
So far I remember, there was some changes to the ath10k firmware/driver between 18.06 and 19.07 that broke AP/VLAN functionality, that happened to me aswell, but the AP/VLAN is working fine again in newer versions.

After building with this PR on 21.02 the wireless interfaces no longer are active. Can you please take a look at your PR to ensure that it's compatible with 21.02

Can you provide more details about your hardware?

I was working in a very customized version of hostapd, researching and testing an improvement version of ppsk AP/VLAN thing, because of this I had to freeze my code and release until I am done with my extra cmd interface to hostapd. After that, I should be able to clean code and upgrade it again.

I am so happy that people is trying and using ppsk. The PR has been waiting for one year already to be merger and they don't seems to care too much, I hope eventually core team decide to merge it.

While I'd love to see this upstreamed, I am willing to pull patches for testing. I can test this on various types of hardware, I have Mikrotik routers and AP's, Ubiquiti AP's from AC lites to Wifi6 LR's. Currently, we are building 21.02 across Unifi AC lites and Wifi 6 lites, as well as Mikrotik hAP AC2 and I, can also do the cAP AC as I have that for testing as well but haven't flashed it to OpenWrt. I started another post in the Dev section and linked this as I was attempting to drum up some use for this as I'd not heard back from you. I went a bit internet stalker and commented on your git repo as well as the PR here at OpenWrt as it had been quite so time since your last message. I'm really glad that I've caught your attention. Keep in touch and if you PM I will share my contact information and we can see if I can help you get this project moving along.