Wifi ppsk mode

yuanshan6666 · June 10, 2018, 1:41pm

Can openwrt/lede support wifi ppsk mode,which means one wireless client use one pre-shared key via radius server,meanwhile others cannot use the same key?

jeff · June 10, 2018, 1:49pm

802.1X with Radius, yes. Individual keying is up to the configuration of the RADIUS server and that is "standard practice" for many networks.

I'm not sure exactly what you're asking for though. It almost sounds like you might want PSK2 for some clients and 802.1X for other clients, all on the same SSID. That I've never run across or considered. If that is the kind of thing you're looking for, you might want to consider two SSIDs on the same AP(s), one running PSK2, the other running 802.1X. Seems like it would be much easier to configure and manage that way.

yuanshan6666 · June 10, 2018, 2:17pm

Dear Jeff,
Thanks for replying me.I don't want to use multissid in my network,one wpa
2-psk another 802.1x eap.PPSK is short for private pre-shared key.Like psk mode,clients join it via a pre-share key.But the difference is that ppsk can make every client have its own psk.IF he is up in the ap,others can not use his key to join the ssid.So this authentation mode have both convenience and security.Many access point manufacturers like aruba,ruckus support this function.

I am not sure openwrt could provide the function like the following link .
yours sincerely.

juppin · June 10, 2018, 2:25pm

Looks like this is a feature of hostapd in combination with a radius server...

Found this in hostapd.conf:

# Optionally, WPA passphrase can be received from RADIUS authentication server
# This requires macaddr_acl to be set to 2 (RADIUS)
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not include
#	Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
#	Tunnel-Password
#wpa_psk_radius=0

I´m not sure if this scenario could configured with uci, but with a self created hostapd.conf it should be possible.

The key -> device binding will be implemented with the mac address

yuanshan6666 · June 10, 2018, 2:40pm

Thanks.Let me have a try!It seems that I couldn't have it configured via luci.But this selection is able to solve my question.

juppin · June 10, 2018, 2:42pm

It should be possible to use only hostapd for your scenario, because hostapd does include a integrated radius server implementation.

juppin · June 10, 2018, 4:57pm

@yuanshan6666 Keep us updated if you will get it work, possibly this could be integrated in uci/luci...

dsinghra12 · November 15, 2018, 3:56am

Did you get it working? I have the same requirement for my network and Do not want to use WPA-Etnerprise as I will be connecting IoT Devices and Gaming Consoles which do not support WPA-Enterprise.

guru · June 14, 2019, 9:25am

any luck here? Do we or Dont we support PPSK in openWRT?

muetzekoeln · June 14, 2019, 10:26am

What about EAP-PWD (RFC5931)? Would this be of any help?

I think it is already available in OpenWRT now.

ffischer · October 9, 2019, 9:46am

CISCO implemented this some time ago as a new feature in their WLAN Products
Identity PSK Feature Deployment Guide

mgiganto · October 12, 2020, 4:10pm

Hi!
I have push 2 PRs that would let you use PPSK:
Base: https://github.com/openwrt/openwrt/pull/3509
Web interface change: https://github.com/openwrt/luci/pull/4513

christian1982 · November 18, 2020, 9:53pm

I was able to successfully test the PR.
Currently the dynamic VLANs on OpenWRT do not work for me (RAIDUS is OK), but this could be a problem with Ath10k.

https://dev.archive.openwrt.org/ticket/22369

github.com/openwrt/openwrt

FS#488 - dynamic VLAN doesn't work on ath10k

opened 03:00PM - 09 Feb 17 UTC

openwrt-bot

release/19.07 flyspray

*czk:* Dynamic vlan config on ath10k seems not to work. Same config on ath9k wo…rks fine. Config: <code> config wifi-device radio0 option type mac80211 option channel 36 option hwmode 11a option path 'pci0000:01/0000:01:00.0' option htmode VHT80 [...] config wifi-iface option device radio0 option network vlan1 option mode ap [...] option dynamic_vlan '1' option 'vlan_tagged_interface' 'eth1' option 'vlan_bridge' 'br-vlan' option 'vlan_naming' '0' </code> Log: <code> Thu Feb 9 15:54:37 2017 daemon.err hostapd: WPA initialization for VLAN 1 failed (-1) Thu Feb 9 15:54:37 2017 daemon.err hostapd: WPA deinit of wlan0.1 failed Thu Feb 9 15:54:37 2017 daemon.debug hostapd: wlan0: STA ac:22:0b:a1:c7:6b IEEE 802.11: could not add dynamic VLAN interface for vlan=1 </code>

In the OpenWRT log I currently only see "RADIUS: starting accounting session", but no "RADIUS: VLAN ID ...".

https://www.blog.happytec.at/index.php?mode=view&id=417

mgiganto · December 17, 2020, 6:16am

Hi @christian1982, I am glad you tried.
So far I remember, there was some changes to the ath10k firmware/driver between 18.06 and 19.07 that broke AP/VLAN functionality, that happened to me aswell, but the AP/VLAN is working fine again in newer versions.

mTek · December 1, 2021, 3:00pm

After building with this PR on 21.02 the wireless interfaces no longer are active. Can you please take a look at your PR to ensure that it's compatible with 21.02

mgiganto · December 12, 2021, 8:49pm

Can you provide more details about your hardware?

I was working in a very customized version of hostapd, researching and testing an improvement version of ppsk AP/VLAN thing, because of this I had to freeze my code and release until I am done with my extra cmd interface to hostapd. After that, I should be able to clean code and upgrade it again.

I am so happy that people is trying and using ppsk. The PR has been waiting for one year already to be merger and they don't seems to care too much, I hope eventually core team decide to merge it.

mTek · December 12, 2021, 9:14pm

While I'd love to see this upstreamed, I am willing to pull patches for testing. I can test this on various types of hardware, I have Mikrotik routers and AP's, Ubiquiti AP's from AC lites to Wifi6 LR's. Currently, we are building 21.02 across Unifi AC lites and Wifi 6 lites, as well as Mikrotik hAP AC2 and I, can also do the cAP AC as I have that for testing as well but haven't flashed it to OpenWrt. I started another post in the Dev section and linked this as I was attempting to drum up some use for this as I'd not heard back from you. I went a bit internet stalker and commented on your git repo as well as the PR here at OpenWrt as it had been quite so time since your last message. I'm really glad that I've caught your attention. Keep in touch and if you PM I will share my contact information and we can see if I can help you get this project moving along.

thelazurus · January 24, 2024, 3:43am

Any updates on this? Hate to revive an old thread like this but it seems to be the only one talking about what I need. Trying to determine if OpenWRT is suitable for my needs and PPSK is basically a requirement.

DirkVanDerWalt · March 11, 2024, 12:42pm

Hello,

There is another thread on this topic if you don't want to use RADIUS

https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696

PPSK with RADIUS on OpenWrt also works well.
I am in the process of completing the integration with RADIUSdesk and MESHdesk/APdesk although it is not fully complete yet.

When it is complete it will include redirecting unknown users to a captive portal to register and choose their PSK and also the ability to do daily, weekly and monthly data limits.

(This will all be fully Open Source)