PPSK and multiple devices

  • 1
  • Question
  • Updated 1 year ago
We're using hivemanager (6.8r7), and multiple access points (AP130) in several sites. Including several SSID's shared among the locations.

We have 1 SSID for smartphones (company and personal) to provide access to users. To simplify management we want to give every user on PPSK for this, which can be used for maximum 5 devices.

We've now enabled the limitiation to 5, but it's unclear to us what management options are there within Hivemanager.

- Can you see the devices (MAC address for example) which have been registered to a PPSK?
- Do those entries expire, if yes on which time window?
- Can you manipulate this via the cli, like resetting the count

What would be other solutions to make this kind of access, being bound to an user (and able to cancel the access)?
Using Radius with AD accounts is not an option, while we don't want to mix that with personal devices. For our internal systems (laptops etc), we're already using dot1x authentication.

Thanks in advance for your input.
Photo of Peter Meijne

Peter Meijne

  • 1 Post
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Sam Lynn

Sam Lynn, Moderator

  • 96 Posts
  • 12 Reply Likes

To answer your questions in order:

You should be able to view the devices that the PPSK is bound to by running the command: _test auth mac-bind show <SSID profile name>

These entries will not expire.

You can remove the currently bound MAC addresses by running the following command: exec auth <SSID> ppsk-mac-unbinding mac-ppsk <mac-address> <password>

Something to keep in mind with the un-binding command, this only seems to work on some firmware versions. I believe you'd need to be on a feature release Hive OS instead of a Golden release. So this means a firmware version of 6.6 or higher, not 6.5 or lower.

The only other solution I could see for this kind of set up if you didn't want to use MAC-binding or Radius would be MAC Authentication. So you could create a PPSK user group with the users as MAC addresses for both the user name and password. Once you enable MAC Auth, you could add the MAC addresses of the devices you want on your network, and if someone tried to use a non-authorized device, they wouldn't be able to log in. The users wouldn't need to enter any username or password themselves, the authentication would just check the MAC address against your list of users and only allow existing MAC addresses to access the network.

Hope this helps!