PPSK Mac Binding only works with SSID attached to PPSK-Server-AP and no other APs.

  • 1
  • Question
  • Updated 6 months ago
Greetings,
  I'm trying to establish a test PPSK SSID with the intent of using it to replace an aging 801.1X implementation.  I can successfully create the SSID and PPSK-users etc, however I'm having a problem with getting the "Automatically bind a private PSK to a MAC address" function to work correctly.

If I bind the test PPSK-SSID to just the access point which is acting as the PPSK-Server and remove it from other three APs in the environment, the whole thing works fine: only the first connected client can attach to the SSID and subsequent clients can't authenticate.  However if any/all of the other APs advertise the SSID then clients can connect to the non-PPSK-Server APs.

The Aerohive PPSK Guide ( http://docs.aerohive.com/330000/docs/guides/Aerohive_PPSK-Guide.pdf ) suggests that PPSK session information is shared between neighbour APs, so it seems logical that MAC address limits should be too.

Am I missing something here, or is this a functionality limitation?

APs: 4 x AP230 running 8.1r2, HMOL.

Thanks
Cully
Photo of Cully Paterson

Cully Paterson

  • 3 Posts
  • 0 Reply Likes

Posted 6 months ago

  • 1
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Can you show some of how you have things configured (images of the HM instance and the configuration of the User Profiles and User Groups (for the PPSKs).  The PPSK w/MAC-binding does indeed work as I've used it in a few situations.  Although there are some caveats that clear out the PPSK/MAC bindings.
Photo of Cully Paterson

Cully Paterson

  • 3 Posts
  • 0 Reply Likes
Sure thing.  The Test SSID is broadcast by four APs, with 'AP2' acting as the PPSK server:



SSID details:



The User Profile is very basic, with essentially nothing non-default in the Optional Settings at all.  This profile is also being used by the existing 802.1x SSID on the same APs:



...and the User Group:



Users are manually created and assigned to the group shown above:



The MAC addresses successfully show up on the PPSK-Server AP:

XXX-AK-AP2#show auth mac-binding
    <string>           Show MAC address binding for the SSID, enter an SSID
                       profile name (1-32 chars)
XXX-AK-AP2#show auth mac-binding XXX-AKL-Test
mac-binding information for SSID: XXX-AKL-Test
No.    MAC Address     User Name                        User Index
------ --------------- -------------------------------- ----------
1      0022:fae1:c0b4  cpaterson-lap01                  0
2      3402:86d4:34d3  richard                          1

...but as indicated, this doesn't seem to stop clients connecting to AP1/AP3/AP4.

I think that about covers everything that's been configured.

Thanks
Cully
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
You look to have everything set mostly as I've done in the past.  The only two exceptions would be assigning a VLAN to the User Group (where yours shows blank on the VLAN ID).  You may also have to set a binding limit under the SSID where it states "Set the. maximum number of clients per private PSK...".  This may be whats holding it up even though logically when you do the "Automatically bind a private PSK to a MAC address" option that would assume one MAC per PPSK, in reality the back end logic may not assume that without the other box checked and set to one.  

I can see a far fetched scenario where you might want one PPSK per "user" but said user has say 3 devices, and you could bind 3 MACs to one PPSK.  

If this is the case, I can see where some better wordage might explain things better.  I've not done extensive testing with the 8.x code, so the issue could also be sourcing from that HiveOS.

Good luck with things!
Photo of Cully Paterson

Cully Paterson

  • 3 Posts
  • 0 Reply Likes
Oddly enough setting the 'max number of clients' to 1 has worked.  This is despite advice elsewhere that those two settings are mutually exclusive.

So thanks for that suggestion, it's lead to a good result.

Cully