Binding a MAC address to a PPSK

  • 3
  • Question
  • Updated 2 years ago
  • Answered
Hello All,
I have set up an SSID for devices to have there own PPSK that only allows one connection to the WLAN. However I can not seem to bind the device MAC to the PPSK.

When I tick the "Automatically bind a private PSK to a MAC address" on the SSID I have an option to add a PPSK server. However when I click the PPSK server link I can not create a new one. From reading I have seen you can make a single AP the PPSK server but can not see how to do that.

Could someone explain to me how I set up a PPSK server so that I can do the the MAC to PPSK binding?

Carl
Photo of Carl Morton

Carl Morton

  • 5 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 3
Photo of Phil Keeley

Phil Keeley

  • 9 Posts
  • 2 Reply Likes
Hi Carl,

the AP acting as the PPSK server has to have a static IP address. Simply set one of your APs to a static address and it will then appear in the list for use as a PPSK server

Regards

Phil
Photo of Carl Morton

Carl Morton

  • 5 Posts
  • 0 Reply Likes
Thanks Phil I have now managed to get that working. I am further experimenting with this and have allowed two concurrent connections for a PPSK but it does not seem to bind two macs to the ppsk only the first device that connects. Is this something that is supported or will I have to disable MAC binding to have more than one concurrent connection.

Carl
Photo of Phil Keeley

Phil Keeley

  • 9 Posts
  • 2 Reply Likes
Hi Carl,

yes this is expected behaviour on the current release. The number of clients per PPSK and Mac Binding are mutually exclusive. Mac Binding forces a single Mac per PPSK.

There is a feature request in the system to make these options work together, but it is not yet a committed feature.

regards

Phil
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Carl, there are two feature requests around PPSK servers that we see on the forums:

* The ability to have more than one PPSK server. If you currently utilise a single access point as a PPSK server and that access point fails the PPSK server is no longer available to authenticate wireless clients.

* The ability to edit the PPSK to MAC Address bindings.

My understanding is that both of these features requests are on the "to be done" list.
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes
Can we get an update on the two feature requests that Crowdie mentions?  

(i.e. possible timescale?)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Terence,
Both of these are still in our backlog list of items to be prioritized and scheduled. The first one, redundancy for PPSK servers, is one that I am trying to get scheduled for the end of this year or early next year. The other will follow, but I won't even venture a guess at timeframe. New urgent items keep popping up and floating to the top of the list.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The open source hostapd now supports per-device PSKs using the RADIUS standard attribute Tunnel-Password. Is there any chance we could see this being supported in HiveOS? (Or via VSAs.)

This way, PPSKs and high availability could be set up to be the concern of the RADIUS back end, decoupled from HiveOS.
(Edited)
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Has Aerohive implemented PPSK server functionality on CVG yet?
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
This is a great conversation that's separate from the main topic, so I created a new topic to continue the discussion. Please reference the new topic here: Has Aerohive implemented PPSK server functionality on CVG yet?
Photo of Christophe BATALHA

Christophe BATALHA

  • 7 Posts
  • 0 Reply Likes
Hello,
Is it now added "The ability to edit the PPSK to MAC Address bindings"?
Thanks - Christophe
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Christophe,
Sorry, no, that is still on our backlog list. I don't have an expected timeframe that I can share.
Photo of David Carey

David Carey

  • 3 Posts
  • 0 Reply Likes
If this is not added, is there at least a way to see which mac is bound. Seems like this would be a priority as if you give a user an account for his laptop, connects with his phone first, and then trys his laptop and no dice, you'd need a way to see and remedy the situation.
Photo of Joe

Joe, Product Management

  • 13 Posts
  • 2 Reply Likes
Hi David,

This was released in the latest release 6.6r1.  You can bind multiple mac to a ppsk or multiple ppsks to a mac.  For example,
- security-object Employee security private-psk mac-binding-keys-per-mac 2  (this binds up to 2 PPSKs to a same mac address)
- security-object Employee security private-psk mac-binding-keys-per-key 5 (this binds up to 5 MAC addresses to a single PPSK)

You can bind up to 5 mac to a ppsk, or 5 ppsk to a mac.  The default is 1.

Additionally, you can manually remove a key binding.  This feature also comes with a show command to display the current binding.  Please have a look at the release note.  All these commands are only available in CLI only at this time, however.

Joe.
Photo of David Carey

David Carey

  • 3 Posts
  • 0 Reply Likes
So I take it this is executed by ssh to particular AP acting as the database for the SSID? Thanks for the info by the way
Photo of Joe

Joe, Product Management

  • 13 Posts
  • 2 Reply Likes
You can use supplemental CLI from HM also.
Photo of David Carey

David Carey

  • 3 Posts
  • 0 Reply Likes
Found the info, beautiful, thanks!!
Photo of cabrower

cabrower

  • 13 Posts
  • 2 Reply Likes
I wanted to circle back on this topic. I looked into HiveOS 6.6r1 for AP330 and found out they pulled it because it was bricking units. Is there any chance they will implement the ppsk unbinding feature in 6.5?
Photo of Christophe BATALHA

Christophe BATALHA

  • 7 Posts
  • 0 Reply Likes
Hello,
I agree, in addition to the ppsk unbinding feature, would it be possible to add "The ability to edit the PPSK to MAC Address bindings"?
The CLI solution is not a nice one to use, from web interface would be great.
Thanks - Christophe