Creating Private PSKs and Updating APs.

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I am creating a helpdesk profile for my remote helpdesk staff. Within this profile the only thing they need to be able to do is create private PSKs for our guest and corporate network. Currently it appears that in order for the newly created PSK to take affect, I must update all APs that have the SSID that accesses that particular user group. The problem is, I do not want to give access to the helpdesk to update APs. Is there a way around that?
Photo of Andy

Andy

  • 5 Posts
  • 0 Reply Likes
  • curious as to why Aerohive has this "feelings" entry.

Posted 4 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Manually created PPSKs need to be activated (or have the user database pushed to each access point) while automatically generated PPSKs do not.  As soon as the automatically created PPSK is created it is known by the access points.  So to get around your issue:

  • Use automatically generated PPSKs  (the tradeoff is that you can't pick the passphrase as it is automatically created for you).
  • Create a User Manager Operator administrator account that allows grants access to the guest PPSKs and the guest SSID.
  • Give the HelpDesk staff access to the newly created User Manager Operator account.
 
(Edited)
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Echoing Crowdie. Good answer. 

Photo of Andy

Andy

  • 5 Posts
  • 0 Reply Likes

The PSKs are automatically generated, but they are not automatically created.  The issue with auto-creation is that the keys are created for 1,7,and 30 days.  auto creation will create one for 1,7, and 30 days and then when it is over, create another one.  I don't want to have to give a federal auditor a key that only lasts for 4 days and then have to give them a new one for the remaining 3 because thy showed up in the middle of a week instead of on a Sunday.  Yes, I know I can just delete a key and it will auto create another one, but then that makes management of the PSKs nearly impossible without logging in everyday.  Thank you for your quick response, it appears that I can either auto create keys and not have to update APs but lose manageability or manually create auto generated keys and have to give helpdesk staff more rights.  Thank you again for your help.


Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When you create a recurring Private PKS local user group there are five fields:

Private PSK Start Time
The date/time to create the first rotation of Private PSKs.

Private PSK Lifetime
How long each rotation of Private PSKs are valid for.

Private PSK Rotation Interval
How often to create a new rotation of Private PSKs.

Private PSK Rotations
How many rotations of Private PSKs to create.

Private PSK Users to Create per Rotation
How many unique Private PSKs to create each rotation.



So in the example above 50 Private PSKs are created every seven days that are valid for seven days.  This will occur 53 times (53 x 7 days [rotation interval] is approximately one year).  I suspect that this how your Private PSKs were configured when you had the issue with users needing two Private PSKs as their seven days starting in the middle of one rotation and finished in the middle of the next rotation.



If we change the definition to the one above then 20 Private PSKs are created every day that are valid for seven days.  This will occur 365 times (365 x 1 day [rotation interval] is one year).  This will give you Private PSKs that are valid for one week but have a new rotation each day.  So on Monday a rotation of Private PSKs will be created that are valid from Monday to Sunday.  On Tuesday a rotation of Private PSKs will be created that are valid from Tuesday to the Monday of the week following.  On Wednesday a rotation of Private PSKs will be created that are valid from Wednesday to the Tuesday of the week following.  This should hopefully resolve your issue.

Note that I dropped the number of Private PSKs created per rotation as each access point only supports a limited number of Private PSKs (the AP330, for example, support just under 10,000 off the top of my head) but as you have more rotations you shouldn't need as many Private PSKs per rotation.
(Edited)
Photo of Andy

Andy

  • 5 Posts
  • 0 Reply Likes

Thank you for your reply.  I understand what you are saying, but that still doesn't resolve the issue of management.  True, I will get x number of PSKs created everyday and then after 7 they will start disabling or deleting themselves, but that is kind of like creating 30 AD accounts with expiration dates and letting them sit there until they are needed or they expire.  It seems like a waste of resources to me.  From a management standpoint, it doesn't make much sense.  It does however provide a solution to my problem.  Again, thank you very much for your quick responses.

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
For your corporate staff you could use manual PPSKs, which can be activated within User Manager by a User Manager Administrator.  The User Manager Administrator just creates a new manual PPSK for the corporate staff member and then clicks on the "Activate" button at the bottom of the PPSK list.  This "pushes" the newly created PPSK to each of the access points and the User Manager Administrator doesn't need, or get, access to the main HiveManager area.

It is worth noting that PPSKs are not recommended for corporate LAN access as 802.1X should be utilised.
Photo of Andy

Andy

  • 5 Posts
  • 0 Reply Likes

The reason we chose PPSK and not RADIUS is because we didn't want users logging in with personal devices onto the corporate network, and with PPSK we can limit the number of devices that can be registered with each PSK.


Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I understand your problem.  To achieve the same with 802.1X you are probably going to need to implement EAP-TLS with client certificates.