Procedure Issues a Private PSK for the user

  • 1
  • Question
  • Updated 2 years ago
We want to let users generate a PPSK key for there BYOD devices by authenticate due there domain credentials on a captive web portal and then receive a PPSK for there devices. However, we can not get the concept working. We receive the message that there are no renewals possible. We use Hivemanager NG and a Microsot NPS as RADIUS. The correct procedure would be nice.
Thx!
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes

Posted 2 years ago

  • 1
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Same problem. Can someone provide some documentation?
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Guys,

I believe this can be done by following the Guest SSID workflow;


http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-wireless-...

I found this quite simple to use. Let me know if you still see issues after running through the workflow.

Kind Regards,
Gary Smith
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Gary
Thx for the support!
This is indeed a part of the solution. The result is indeed a PPSK key, but the first step, the registrationform is not what we intended. Is it not possible to replace this step by giving the domain credentials that are authenticated at a RADIUS server and results then in a PPSK key if the authentication is succesfull (so replace the selfregistration by an 802.1X authentication form)?
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Hans,

This is not something I am aware of being possible right now. (assuming I understand the requirement.)

I'd welcome other inputs from the community on this.

Kind Regards,
Gary Smith
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
Hi Everyone,

I am unsure why you want to generate a ppsk in the first place.  This is likely not supported because its a mix of multiple authentication methods.  Why not just allow users to connect to CWP and authenticate through 802.11x and have that be the end of it? Instead you want them to authenticate through RADIUS and then take a generated ppsk to authenticate a second time? The only reason I can think of is so that you can extend the lease of the ppsk beyond that of a RADIUS authentication.  I don't recall the lease limitations of both so I can't be certain this would be a benefit. Are you just looking for multiple levels of protection getting onto the network? Am I missing something else? 
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
What he means is not a mix of two authentication methods. You have two ssid's:
SSID1: CWP were a user must login with 802.1x credentials. if this is successfull he receive a ppsk for his BYOD. The user receives a ppsk in the right user profile
SSID2: is secured SSID with ppsk

Ruckus has this feature (zero it) and I think it is the most used feature of Ruckus

Disadvantages of cwp: sometimes problems with https, sometimes cwp does not load everytime for certain clients, users need to login every x time, open ssid
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
Indeed, we know the advantages and disadvantages of the authentication methods. Another security risk is the layer 3 connection you made for the CWP procedure. However, to avoid problems with certificats on BYOD we want to use the PPSK feature. The best practice we believe is the support of a MDM platform but this is an extra cost that not all customers want to pay. 
I believe HMOL did support the creation of ppsk key's after 802.1x authentication due a CWP.