got a customer who wants to deploy MPSK solution with username and password.
They have 6.10 Clearpass and Aruba Central.
i just wondered whether anyone has done this ?
we are at the proof of concept stage and are looking at best options for a test lab.
802.1x is one but they have asked for guidance on the MPSK question.
I would say it's not possible to do, or maybe I don't understand what and how they would like to implement this.
PSK/MPSK is one type of authentication where you just sends the PSK, and in the case of MPSK the key is different depending on device.
802.1x is another type of authentication where you send a certificate or a username and password. The can't be active on the same SSID.
The only thing I can figure out is to combine the MPSK with a captive portal where the user does a normal web login. Quite unusual and maybe not so user friendly.
Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization. In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.
In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID.
Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved.
thnaks for getting back Jonas and Michael,
i probably should have explained better, it a bit of a rushed posting apologies,
The customer wants to have 2 x test set up SSID's.
I think their best option will be individual credentials per user, with MPSK, you need to define each MAC address with which key it's expecting. What that means is the administrator will need to know every MAC connecting with the key(s) and when students get new devices it's a constant process, a lot of administrative overhead. Whereas an account allows multiple devices to connect regardless of MAC. If you want to remove a single device from the network, with MPSK you remove the MAC from the policy, with AD credentials, they can be on multiple devices, but you can still blacklist or disallow certain MACs in your policy.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.