don't allow multiple devices for guest account - using CWP and ID Manager

  • 1
  • Question
  • Updated 3 years ago
  • Answered
We are using o open wifi called GUEST. In HM it is configured to use ID Manager with CWP.
ID Manger is configured to use username/password authentification.

That is working fine.

BUT: Users can logon with the account on multiple devices at the same time and can share the account informations which was created at our reception.

Is it possible to restrict the access for a username/password authentification for just one device???
Photo of Pascal Kempter

Pascal Kempter

  • 5 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
Pascal,

There seems to be some confusion regarding your use of 'Open' and 'Secured' networks. Correct me if I'm wrong but you have an SSID that is configured to us PPSK though a CWP? If this is the case the answer to your question would be to reduce the number of concurrent logins/sessions a user can have. This can be done through when configuring the SSID as part of the network policy.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Pascal, if you are using an open SSID with ID Manager and a username/password guest type via CWP as your post seems to suggest then it is not currently possible to limit the device or number of devices those credentials can be used on.

You would have to switch to using PPSK rather than CWP with username/password as Luke suggests.

Change the SSID to be a PPSK SSID and check the ID Manager checkbox. Then set the guest type in ID Manager associated with that SSID to be a PPSK rather than username/password type and set up the criteria for key length/characters etc. Then you can set the SSID option "Set the maximum number of clients per PPSK" to 1.

This will allow only one device at a time to use that PPSK. If a second device tries to use the same PPSK while the first device is stil active in the roaming cache, the access attempt will be rejected. Note that the roaming cache is only shared amongst APs that are aware of each other, so usually if you have multiple sites, the limit will only apply on a per-site basis. Also note that there is no binding to the MAC address of the device. If the first device disconnects and the roaming-cache entry ages out, a second device can then use that same key - it will just limit "concurrent" usage.

There is a way to have ID Manager PPSK accounts bound permanently to the MAC address of a device so that only one device can ever use a PPSK, but this only works for "self registration" via a registration SSID (the PPSK is bound to the MAC address of the device which was used to self-register). This mechanism requires the initial registration be authenticated against a RADIUS server so is not really appropriate for guest access (it's designed for BYOD access for staff, so your staff can register for a PPSK to use on their mobile device by registering using their active directory credentials for example).
Photo of Pascal Kempter

Pascal Kempter

  • 5 Posts
  • 0 Reply Likes
Hello Luke,
Thanks for your reply.
Sorry. Maybe it was a little bit confused.
I have configured a SSID without authentification (OPEN) but with "Use Aerohive ID Manager"


For the profile I created a CWP

In ID manager I created a Guest Type with User Name /  PWD

All these works fine. But now I have the problem that the created account can be shared.
It will be nice if just a created user can use the account with one device.

I know that it is possible with a private PSK. but there I have the problem that the guests save the PPSK and then have a problem with connecting next time they come and need a new guest account.
Photo of Pascal Kempter

Pascal Kempter

  • 5 Posts
  • 0 Reply Likes
Hello Roberto,

thanks.
what happens if a user expires and recreated a account. Did he get the same PPSK?
If yes it will be good. If not, I think it is a problem because nearly all devices store the PSK and if they connect a second time and need to connect with a new PPSK they can not connect. Then they need to delete the saved network and logon again.
many users have a problem with deleting the network because they don't know where to do.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Yes, this is certainly a problem with PPSKs that comes up a lot. This has also long been a problem with traditional PSKs where you change the PSK on a regular basis. Partly, this is down to poor-design in the devices themselves (some devices WILL eventually re-prompt the user to enter a new key, but many don't and require the user to manually "forget" the SSID in order to enter a new key).

In the last IDM update, functionality was added to allow expired PPSKs to be renewed (the user is allowed to request this themselves via a CWP intercept on their device when the PPSK they are using has expired). This requires all APs to be running HiveOS 6.4r1 or later (which is a problem if you have AP120s etc. as these will not support that version).

Currently though, this renewal mechanism will generate a NEW PPSK. I know many customers have asked for the option to EXTEND/REACTIVATE the existing PPSK, but this is not currently how the function works.

Similar requests have gone in to allow the extension/reactivation of accounts from within the registration UI. Again, currently, if you try to create an account for a user that already exists, you will be prompted only to create a NEW credential for that user.
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
One thing I would like to see is the functionality within IDM is the ability to email each user their PPSK information individually after a bulk update. At present when a bulk load of users are added it is only possible to forward all key information to a single address. Which then requires a large amount of manual work to distribute them.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Search on here to see if that has already been submitted as an "idea". If not, then submit one - these requests are definitely looked at by Aerohive and it's the best place to raise feature requests like this.
Photo of Pascal Kempter

Pascal Kempter

  • 5 Posts
  • 0 Reply Likes
Thanks all for your help.
To notify the users and make it possible to renew the PPSK is not the worst solution.
I will try it. But I'm not sure if it is working because we have the AP390 with the newest Software HiveOS 6.0r2f.
I also will post it as a "Idea" to make it possible to restrict the access to a non PPSK network for one device.

From my side it is the best solution if they make it possible.