Change Local User Groups settings

  • 1
  • Question
  • Updated 3 years ago
I created several Local User Groups and some associated users but realized that the character restrictions (Local User Groups / Private PSK Advanced Options / Character Restrictions) weren't set right. However, I wasn't able to change the settings in the group (received the message "This profile cannot be modified because it is being used by a local user or because you have no permission.") until I deleted all of the users that used that group. Shouldn't you be able to change these settings without deleting all of your users?

Thanks,
-Dan
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like

Posted 3 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The reason you can't make the change is that it can invalidate a number of the existing auto-generated PPSKs.  For example, if the following automatically generated PPSKs exist:

* A@he73k$
* g6d6ud9oi

and you remove special characters as an acceptable character then the first auto-generated PPSK is invalid.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
It shouldn't matter if existing keys don't meet the current rules; it should apply the rules going forward. If nothing else, manually-created keys shouldn't block making the rule change. If I change password requirements for any other system (such as a Windows domain), I don't need to delete all of the users before changing a password policy.

Thanks,
-Dan
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Dan,
You are certainly entitled to your own opinion, and I understand where you are coming from, but Crowdie was exactly correct about how HiveManager and HiveOS behave and why. 
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
I wasn't challenging Crowdie. I was pointing out this is inconsistent with how most systems handle permission changes. It took extra troubleshooting time because I wouldn't have expected to have to delete accounts to make such a change. I would file this as a bug if it were my project.

I thought the trophy by his name represented he is an employee, which is why I told him it didn't make sense. I'm just evaluating the system right now and am doing the initial setup before buying the APs, so this is the point where I'll run into oddities and possible dealbreakers, so I'd like to report anything weird as I'm figuring this system out.

Thank you,
-Dan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
PPSKs are definitely not perfect but once you understand how they work they are really useful, particularly for small and medium sized deployments.  If you are looking at a large deployment needing great scalability then I would use EAP-TLS authentication with Active Directory.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Dan,
Please forgive me. I wasn't trying to chastise you, even if it came across that way.

Crowdie is one of our most-experienced users, and in recognition of that and his willingness to share his expertise with others here we've granted him "Champ" status and other privileges.

All Aerohive employees -should- be identified with "Official Rep" or "Aerohive Employee".

The particular area of HiveOS we are discussing here (local user groups, manual and auto PPSKs) has been largely untouched since the founding of the company, and if we were implementing it from scratch today then we would definitely do it differently. However, because of that past we are now constrained in what sort of changes we can make, and we have a customer-base who now has some ingrained expectations (I think Microsoft feels similarly about the Start button in Windows).
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Crowdie: Thanks. We are phasing out the PSK networks, but I'm trying to keep parity for now so that we can swap out the APs without anyone having issues, and then start migrating to our new methods. But that means creating about 45 PSK networks with different passwords each. :) I appreciate the help.

Mike: Don't worry about it. Thanks for the insight on how it works and the background on why it's how it is.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
For anybody reading this there are two different types of PPSKs and they act differently.

Automatically generated PPSK accounts are not sent to the access points but the algorithm that created them is.  When a wireless client attempts to authenticate to an access point the supplied passphrase is checked against the algorithm to see if it is valid or not.  For this reason automatically generated PPSKs accounts are valid from when they are created and do not need to be "pushed" to the access points.

Manually created PPSK accounts are the more traditional and allow the user to select their username and password.  These PPSK accounts must be "pushed" to the access points via the "Activate" option in User Manager or by updating the "employee, guest, and contractor credentials" in HiveManager.

Dan, I have had situations where I have had to reduce the passphrase complexity, normally for guests, due to customer feedback.  In this situation I create a new PPSK local user group and assign it to the same SSID, user profile, etc.   This means that the existing PPSK accounts and any newly created PPSK accounts end up in the same user profile, VLAN, etc.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Thanks. Nice to know how they works. If it's just based on the algorithm, how are keys expired? It seems like it would still need to know which keys (or seed or whatever) to use or which are valid.

Yeah, we have a lot of existing account on our old wireless, so I was importing the account in the new system, but quite a few of the accounts don't have special symbols, which is why I was trying to change the complexity requirements, but that meant I needed to delete the accounts already created. Not a problem in this case since I was just importing users, but I could see it being a problem once this is in full production.

Thanks,
-Dan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If it's just based on the algorithm, how are keys expired?
If the key is date/time limited (something I do for guests in combination with key auto generation) then that data is included in the algorithm so User Manager automatically "expires" the keys.  You can see this in the "Local Users" area of HiveManager.

If you want to test this block the access point from getting NTP updates and you will see that the date/time limited keys will no longer work while non-date/time limited keys will.

It is important to understand when to use PPSKs.  They were created to "fill the hole" between full 802.1X and PSK.  PSK has far too many limitations primarily that it is a major security risk while 802.1X is not supported by all clients.  PPSK removes some of the limitations of PSK without having to deploy 802.1X particularly if you have clients that do not support 802.1X.  Would you use PPSKs to authenticate staff at a financial institution? No but you may authenticate guests with PPSKs to grant Internet access only.
(Edited)
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
Thanks. Right now we use WPA2-PSK for some mobile computer labs so the individual students don't need to log in. We may also create a new SSID if we have guest for the day, but I would now just create another credential under the PSK network. Personal devices and staff access use WPA2-enterprise.

-Dan
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I tend to use 802.1X for domain (EAP-TLS) and BYOD devices (PEAP MSCHAPv2); manual PPSKs for warehouse scanners, wireless printers, etc. and automatically generated PPSKs for guests.

IMHO one of the biggest advantages of PPSKs is that they can replace all captive portal (web auth) authentication that just doesn't work with all wireless clients.
Photo of Dan Mellem

Dan Mellem

  • 52 Posts
  • 1 Reply Like
We don't have any domain members, but other than that, that's essentially what we're doing. So, do you run three SSIDs (domain, BYOD, PPSK) and then assign different permissions based on account? We use two SSIDs (WPA2/PEAP/CHAP for staff and students and [P]PSK for labs and guests).

Thanks.