How to configure PPSK

  • 1
  • Question
  • Updated 1 year ago
  • Answered
What happens if the AP acting acting as the PPSK server goes off line? Are you able to assign a backup? Will the assigned AP still operate as an AP?

Also I can't find the Idiots guide on how to correctly install this setup. Does anyone know where to find this?

Note: This topic was created from a reply on the Why would I want to set up my WiFi network with a Radius Server? topic.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes

Posted 5 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi James,

A PPSK server is only needed if you are choosing to bind one or more MAC addresses to a PPSK or if you wish to configure self-registration. If all you wish to do is have users authenticate with their own PSKs (which is the standard configuration) then all of the APs store the individual PPSK digests. If one of your APs goes down, the wireless clients will be unable to authenticate against that AP, but they can still use any other APs in range.

More information about Private PSK can be found in the help here.

To deploy an SSID with PPSK, navigate to "Configuration > [Your Network Policy]" and click "Choose" next to SSIDs


When prompted to choose an existing SSID or create a new one, click "New"


Give the new SSID a name and select Private PSK as the SSID Access Security, then click Save


Make sure the new SSID is selected, then click OK


Click the link for "PSK User Groups" to create a new group


When prompted to choose an existing PSK User Group or create a new one, click "New"


Here you will need to give the new PSK User Group a name (a) and choose "Automatically generated private PSK users" for the User Type (b). You will also want to specify the User Profile Attribute, VLAN ID, User Name Prefix and Private PSK Secret (c). This will define the User Profile Attribute to which your PPSK Users will be assigned. If needed, you can also expand the Private PSK Advanced Options (d) and customize the PPSK group settings as needed.


Make sure the new PSK User Group is selected, then click OK


Click the link to Add/Remove User Profiles which will determine which User Profile your PPSK Users will be assigned after authenticating


Choose which User Profile you want to have your PPSK Users assigned. In this example I've only created one PSK User Group, so I have only assigned one User Profile to the Default profile. If you need to specify more than one PSK User Group, for example one for Faculty and one for Students, you can assign User Profiles to the Authentication profile just as you would with 802.1X/RADIUS. Make sure to click OK once you have made your User Profile assignments.


Save the changes to your Network Policy, then navigate to "Configuration > Advanced Configuration > Authentication > Local Users. From here you can click "Bulk" to create more than one PPSK User at a time


From here choose the PSK User Group you created previously from the "Create Users Under Group" dropdown box and specify the number of users needed


Once you have created your PPSK Users, push the changes out to your devices. You now have a few choices for how to manage these PPSK User. If you only have a few users, you can manage them manually by clicking the "Clear Text PSK".

This will show you all of the PPSKs you just bulk created allowing you to hand them out to your users as needed


However, if you have many users connecting to your wireless network, or choose to implement PPSK for a guest network, manually managing the PPSKs would quickly become unmanageable. For this use I would recommend User Manager, which is a front desk/administration type interface which allows you to email out the PPSKs on a per user basis.

To configure User Manager, first go back to your Network Policy and click on the link to edit the User Profile(s) assigned to your PPSK SSID. From here, tick the checkbox to "Manage users for this profile via User Manager" and click Save.


Push this change out to your devices, then navigate to "Home > Administration > Administrators and click "New". From here you will need to create a new User Manager Administrator, making sure to choose "User Manager Admin" from the Group Type dropdown box, then click Save


Once this is done, log out of your HiveManager and log back in as the new User Manager Admin you just created. In the User Manager GUI, Navigate to "User Manager > Temporary Accounts > Create Accounts" and click Create


From here you will assign the PPSK Users you created earlier to your users by selecting the PSK User Group you created and specifying the SSID they will be authenticating against. Notice you will see a PPSK has been chosen for each new user you create in User Manager. Once you're finished filling out the details for the user, click Save


If you have configured email notifications on your HiveManager (Home > Administration > HiveManager Services > Update Email Service Settings), you can choose to email out the PPSKs straight from User Manager to the email address(es) you configured for each user.


When the user receives the email, they will see a description of the PPSK with the PSK associated to their user and the Start/End times of the PPSK validity period (optional), if configured under "Private PSK Advanced Options" on the PSK User Group.


I believe this covers the basics of configuring PPSK, but let me know if I have missed anything or if you have any further questions.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
Got it, this worked great and was easy to setup (as soon as someone shows you how!) Thanks for doing this, must have taken you ages. (This is another reason why I love Aerohive.)

I'm going to deploy it to my high school which has approximately 240 iPads. I will let you know how it goes. I do have some other questions regarding the configuration, but I am thinking that would be best for another topic.

Thanks again!
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like
I've followed this guide but can't authenticate. Any gotchas for this? When I connect to the SSID it only has a password option, nothing for username.
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
We recently posted a video blog about how to configure a PPSK. Have you had a chance to see this yet? http://blogs.aerohive.com/blog/networking-luminaries-series/how-to-configure-a-ppsk
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
We have got PPSK to work in our environment. However any change to the Local user list means that all APs have to be updated again which is cumbersome, and in most cases during class time we cannot get this working at all.

Is it possible to have PPSK work the same way RADIUS users work? I notice with this option we only need to update the APs assigned as RADIUS servers.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
http://sashkastechnical.blogspot.co.uk/2013/01/12-networking-series-aerohive.html

There are some VSAs of potential interest:

ATTRIBUTE       Aerohive-PPSK-Request               201     octets
ATTRIBUTE       Aerohive-PPSK-PMK                   202     octets

Using them would definitely be in undocumented and likely unsupported territory though.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You could always use automatically created PPSKs rather than manually created PPSKs.  This would remove the need to update the access points.

If you need to utilise manually created PPSKs then create a User Manager Admin account and "activate" the PPSKs as you create them.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
By creating the PPSKs this way would remove the need for each AP to be updated?
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
The other option for PPSK deployment is to use ID Manager which lifts the limit of PPSK's that can be stored per access point and eliminates the need to perform an update each time a new user is added.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
In all the above cases, Does this mean that I would change the authentication method? ie. from PPSK to RADIUS?

And if we go for creating them under a ID manager, this is an extra application/module we would need to purchase from aerohive?
Photo of Hoang Tung

Hoang Tung

  • 31 Posts
  • 0 Reply Likes
Hi,
This is how we auto generate password. What is the feature of the option "Manually create PSK"?
Thanks
Photo of Arkadiusz

Arkadiusz

  • 5 Posts
  • 0 Reply Likes
Guys,
Please help. I have HM NG with Guest SSID (PPSK). We had to unblock port 2083 both to APs and clients. I understand why APs need this port to be unblocked, but clinets? Why do they need this port? Do they generate any traffic or have any communication with HM NG on their own?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2475 Posts
  • 447 Reply Likes
Clients do not need this port and do not have any direct communication with HMNG in this regard.

Rather, the APs use this port to talk to HMNG via RadSec.

Thanks,

Nick
Photo of Arkadiusz

Arkadiusz

  • 5 Posts
  • 0 Reply Likes
OK. I ask beocuse I had an issue when unblocking this port for APs didn't solve the "authentication failure" problem when logging in. We had to unblock this port also for clients and it helped. Any ideas why?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2475 Posts
  • 447 Reply Likes
I have no idea how this could help or be related. Clients do not use RadSec to talk to HMNG.

I would suggest that you investigate further with packet captures.
(Edited)