Is it possible to limit time user session with PPSK ?

  • 1
  • Question
  • Updated 2 years ago

Hello,

When we configured an SSID with PPSK authentication (with AP 330), is it possible to limit time session for users (for security reason) ? So the users must authenticate again.

Thanks for your help !

Photo of Dom

Dom

  • 23 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Are you looking to limit the hours of the day the PPSKs are valid or the validity period of the PPSK? (i.e. the PPSK is only valid for xxx hours)

Are you using HiveManager/HiveManager Online or HiveManager NG?
Photo of Dom

Dom

  • 23 Posts
  • 0 Reply Likes
I use Hive Manager on an appliance VM version 6.41d. In fact, I would like that only the session is limited in one hour for example. Example : a user connect  with the password PPSK , after one hour if the user is still connected the session is disconnected automatically, and if the user wants to connect again, he/she must reintroduce the same password PPSK.
Thanks.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
You can't really do what you're asking I'm afraid Dom. The client device will remember the PPSK and even if the AP disconnects the user, the client will just automatically reconnect using the same PPSK without any user intervention - there's nothing you can do to stop that as it's a client-side function.

If you expire the PPSK so the user needs to use a different PPSK to reconnect, then you have usability problems for the user for the same reason. The client remembers the previous PPSK and tries to use it and if the key is expired, they will simply not connect. Some clients may then prompt the user to enter a new key, but most don't and the user typically has to go into their wireless settings to either change or "forget" the previous PPSK. Also, if using this with ID Manager, the repeated attempt by the client to connect using an expired key will cause the client to be blacklisted for a time.

It sounds like you want the user to have to take an affirmative action to re-enter credentials, but PSK is not the right tool to do that. If you're concerned about security, PSK (even PPSK) is not really ideal. However even if you were using 802.1x, clients typically automatically re-use credentials.

The only thing you can really do to force a user to have to re-enter credentials is to use a captive web portal to authenticate them against a directory, e.g. Active Directory, which you could use in conjunction with PPSKs.
Photo of Dom

Dom

  • 23 Posts
  • 0 Reply Likes
Thanks very much for your information.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You may be able to do what you want with one of:

* HiveManager/HiveManager Online with ID Manager
* HiveManager NG

ID Manager and NG have an option to renew PPSKs (have to enable when the PPSK group/type is created).  This means that the user can be notified via a txt message, for example, and can renew their PPSK validity for another period.


You will find an option to create a PPSK that is only valid for a set period of time, say one hour for example, from the time it is first used.  This covers your time limit requirement.


Hopefully that is of some use to you.

With HiveManager/HiveManager Online alone the closest you can get is a reoccurring PPSK but, as Roberto has advised, when the user wants to extend their connectivity period a new PPSK will be required.
(Edited)
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
The IDM renewal option Crowdie describes does work fine, but you'd obviously need an IDM subscription to use it. Also, the user still needs to forget the old key and enter the new key into their wireless settings, which from my experience causes confusion for inexperienced users (especially as the instructions on exactly what they need to do vary depending on what the client device is).