Searching the PPSK Server Database

  • 2
  • Question
  • Updated 5 years ago
  • Answered
Is it possible to search the PPSK for a MAC address of a device? The issue is that an iPhone will no longer connect to the network. We're convinced it is a device that once had a PPSK but is now trying to use a new PPSK. Since the option for locking the MAC to the PPSK is being used, I assume it is in there hiding somewhere.

The only other thing I've done before is remove the PPSK server and then put it back. That helped in a small test, but this Authentication Group is a district wide group with several users.
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes

Posted 5 years ago

  • 2
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Robert,

Currently this is not possible, the PPSK MAC binding database is hidden from view and is unable to be edited on a per client basis. The only way to clear the binding for one particular client as of today is to reboot the AP functioning as the PPSK Server storing the MAC bindings. Since the bindings are stored in memory, they are cleared upon rebooting the AP.

This was recently requested as a product enhancement internally from this thread. This enhancement requested that PPSK MAC bindings be stored in flash instead of RAM, as well as the capability to manually remove one or more binding without purging the entire database. If the request gets approved, it could qualify for inclusion in a future release, but that is ultimately a decision for the Product Management team.

Hope this helps
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
Thanks. Our issue is that the iPhone had a working PPSK. It was re-issued to another employee and we're not sure what the old was PPSK. Of course, it will not take a new PPSK. Rebooting the AP didn't help.

Is there anyway to force a device to accept a new PPSK even though the MAC is bound to an old / lost PPSK?
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Robert,

I must admit I am at a bit of a loss. If this really is an issue where the PPSK for the new user is still bound to the old device, rebooting the PPSK server AP that stores the MAC bindings should have resolved the issue since the bindings are stored in RAM.

It is possible that there is something else going on here, as a test, is this new client able to successfully authenticate with a newly issued PPSK that has not been used previously?

Thanks in advance
Photo of Robert Haviland

Robert Haviland

  • 29 Posts
  • 6 Reply Likes
No. We created a new PPSK. We did not delete the old PPSK as we're not sure which one that is. That's why we were hoping to be able to search by MAC address to figure out which PPSK is assigned to the device.

In a test environment, I once deleted the PPSK server by giving it a DHCP address. Rebooted. Then recreated the static IP. An it cleared. But that was only on a couple of devices. There are many on this network. If I do that, will it wipe out all the PPSK ?
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Robert,

Unfortunately I am a bit stumped by the fact that your PPSK server did not release the binding upon reboot. I hate to recommend such a destructive troubleshooting step, but I would be interested in seeing if removing and recreating the PPSK server again resolves this issue. Since the actual PPSK digests are stored on every AP, it will not remove them, though you will lose all of the current bindings (though that should have happened after the reboot).

However, before you go through with such a change, it may be helpful to troubleshoot this issue further in case it happens again in the future. As this would be difficult to do online, I would recommend opening a support ticket so that this issue can be looked into at a deeper level. If a root cause is found aside from removing and recreating the PPSK server it would be excellent if you could report back with the end result.