Revoking User Access of an Auto Generated PPSK User

  • 3
  • Question
  • Updated 2 years ago
  • Answered
Hi,

I created 300 PPSK users with recurring methot. Each user can access network for 30 days. How can I disable users password or revoke the users access before 30 days?
Any Idea? Thanks
Photo of Nezih Muharrem Oktay

Nezih Muharrem Oktay

  • 4 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 3
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
You didn't specify if you were using ID Manager, so I will assume you are not.

A HiveManager admin can log in and go to:
Configuration > Advanced Configuration > Authentication > Local Users

Select the key you wish to delete, and click Remove. You may want to create a new key to replace the one you are losing while you are at it.

Then you need to push the new credentials to your APs.
Photo of Nezih Muharrem Oktay

Nezih Muharrem Oktay

  • 4 Posts
  • 0 Reply Likes
Hi,

When I try to remove the user it says:
A predefined object cannot be removed.
No items have been removed.

The user's details are below.
User Name User Type PSK (Obscured PSK) User Group Start Time End Time Email Notification Description
guest0001 Private PSK-Auto 76360550 Guest_User_Group 08/16/2013 12:00:00 AM 09/15/2013 12:00:00 AM

Thanks,
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Gah, I was thinking about manual keys, not auto. Sorry about that.

For auto keys, you can revoke a PPSK from a user manager admin account. Log in as the user manager admin, then browse to:

User Manager > Temporary Keys > Revoke Accounts

Select the key you wish to de-allocate and click Revoke.
HiveManager will reach out to all online APs and revoke the key in question and deauthenticate any client connected using that key. You will see any APs that did not receive the command onscreen.


Here is the log from the AP side, in case you were interested.

2013-08-16 11:13:27 info ah_auth: clear (actual=1/total=1) PPSK's stations from SSID(PPSK)
2013-08-16 11:13:27 info ah_auth: ah_auth_clear_ppsk_sta_by_users: kick sta based on these 1 PPSK(s)
2013-08-16 11:13:27 info ah_auth: ah_auth_clear_ppsk_sta_by_users: Get 1 PPSK to clear its stations
2013-08-16 11:13:27 info ah_auth: Notify driver to deauth xxxx:xxxx:xxxx from wifi1.3
2013-08-16 11:13:27 info ah_auth: Try to disassoc xxxx:xxxx:xxxx from yyyy:yyyy:yyyy (wifi1.3) for ssid PPSK because of the Private-PS K config change
2013-08-16 11:13:27 info ah_cli: admin:
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
As mentioned in a previous post if a User Manager Operator has the authority to grant access to a WLAN he/she should have the authority to revoke access to the WLAN. Surely the authority to grant access to a WLAN is more of a security risk than revoking it.

Unfortunately the User Manager Operator administrator account type only has permissions to authorise auto PPSKs and not revoke them. You also cannot clone the User Manager Operator (and/or User Manager Admin administrator) accounts so you can't add the ability to revoke PPSKs to a User Manager Operator.

This ability has to be a feature request that Aerohive can easily implement.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Crowdie - I like that idea. I'll bring it up in our discussions :-)
Photo of Kellen Christensen

Kellen Christensen

  • 6 Posts
  • 2 Reply Likes
Abby - Anything new here? Or, can this be made a feature request? It doesn't appear there is a way to make a User Manager "Super Operator", where they have revocation privileges, but no rights on permanent accounts or reporting.
Photo of Paul Levasseur

Paul Levasseur

  • 11 Posts
  • 2 Reply Likes


Hello Kellen, maybe this can help. You can create a user manager administrator instead of the user manager operator. The user manager administrator has rights to revoke. I have two pictures included.
Cheers,
Paul
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The issue with the User Manager Admin account is that it grants access to all automatically generated and manually generated Private PSKs. For a receptionist, for example, this is far more access than we want to grant.
Photo of Kellen Christensen

Kellen Christensen

  • 6 Posts
  • 2 Reply Likes
Crowdie said exactly what I was going to say; it's too much access for a limited user.

Basically, all I need is User Manager Operator *PLUS* rights to revoke.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Ditto!

On the topic of User Manager Admin, can someone please remove ssid0 as an available option. Ta.
Photo of Lieven

Lieven

  • 1 Post
  • 0 Reply Likes
Anything changed here? As I see it, the problem Crowdie brought up still exists.

By the way: Is there a difference between a removed PPSK by someone with configuration rights (Configuration > Authentication > Local Users > Remove)  and a revoked account by a User Manager Admin (In User mgmt-tool) ?

Thx,
Lieven