View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MPSK with user auth

This thread has been viewed 13 times
  • 1.  MPSK with user auth

    Posted Nov 16, 2023 04:21 AM

    hello Airheads,

    got a customer who wants to deploy MPSK solution with username and password.

    They have 6.10 Clearpass and Aruba Central.

    i just wondered whether anyone has done this ?

    we are at the proof of concept stage and are looking at best options for a test lab.

    802.1x is one but they have asked for guidance on the MPSK question.



  • 2.  RE: MPSK with user auth

    Posted Nov 16, 2023 05:41 AM

    Hi Pete

    I would say it's not possible to do, or maybe I don't understand what and how they would like to implement this.

    PSK/MPSK is one type of authentication where you just sends the PSK, and in the case of MPSK the key is different depending on device.

    802.1x is another type of authentication where you send a certificate or a username and password. The can't be active on the same SSID.

    The only thing I can figure out is to combine the MPSK with a captive portal where the user does a normal web login. Quite unusual and maybe not so user friendly.

    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution

  • 3.  RE: MPSK with user auth

    Posted Nov 16, 2023 11:16 AM

    Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization.  In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.

    In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID. 

    Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved. 

    Michael Haring
    Sr. Network and Communications Expert
    Lehigh Valley Health Network

  • 4.  RE: MPSK with user auth

    Posted Nov 20, 2023 07:05 AM

    thnaks for getting back Jonas and Michael,

    i probably should have explained better, it a bit of a rushed posting apologies,

    The customer wants to have 2 x test set up SSID's.

    1. 802.1x ssid (PEAP MSCHV2)
    2. MPSK ssid , they want to give new students a set of AD credentials  (username and password) and test a guest welcome page with  username and password backed off to AD and an MPSK solution.
    3. Thet want to test both solutions to see the best fit. I suggested the 802.1x route but they want to test both ideas. i've not done an MPSK solution before.
    4. cheers
    5. Pete

  • 5.  RE: MPSK with user auth

    Posted Nov 20, 2023 08:27 AM

    I think their best option will be individual credentials per user, with MPSK, you need to define each MAC address with which key it's expecting. What that means is the administrator will need to know every MAC connecting with the key(s) and when students get new devices it's a constant process, a lot of administrative overhead. Whereas an account allows multiple devices to connect regardless of MAC. If you want to remove a single device from the network, with MPSK you remove the MAC from the policy, with AD credentials, they can be on multiple devices, but you can still blacklist or disallow certain MACs in your policy. 

    Michael Haring