Private PSK advances

  • 1
  • Question
  • Updated 3 years ago
I would like to create a Private PSK for each staff, and it just valid for only 6 months, and it can be removed and created new after it expired. 

I upload what I have done in HMOL, but I am not sure it will work or not. So please let me know your suggestion.

Thanks in advance.
Photo of Hoang Tung

Hoang Tung

  • 31 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Some comments on your image:
- Don't set the VLAN.  That limits your flexibility if you want to do client classification on the user profile
- You will need to set a username prefix and secret.
- Set a PPSK start time, for when the first rotation will start 
- Assuming you want to reset all the keys every 180 days, set the rotation interval to 180 days.  
- Set the number of PSK rotations higher.  Right now you have only set up a single rotation, so the keys will not change.  Set the number to 10 (this will last you five years) - or higher.
- Set the number of keys per rotation to exceed the number you know you need right now - just so you know there are more if you need them.  10 doesn't seem like many.
- For a key that is only 8 characters long, you should definitely consider adding letters to the supported character types.  You don't have much entropy with only 8 numbers in a 6 month key.  Easier to crack with a rainbow table the way you have it.
Photo of Hoang Tung

Hoang Tung

  • 31 Posts
  • 0 Reply Likes
Hi Andrew,
Thanks for your comments. 
I have one question, the option :"Private-PSK start time" does it matter for the date?
Here is an example, please correct me if I am wrong:

- PPSK start time: 14/05/2015 (PPSK start from this day)
- PPSK life time: 1 days (live only 3 days)
- PPSK rotation interval: (I dont get this option)
- PPSK rotation: 3 (will be renew 3 times)
- PPSK users to create per rotation: 10 (It will create 10 PPSK)

So the day after 15/05/2015, does PPSK will be recreated again with different password?