I think their best option will be individual credentials per user, with MPSK, you need to define each MAC address with which key it's expecting. What that means is the administrator will need to know every MAC connecting with the key(s) and when students get new devices it's a constant process, a lot of administrative overhead. Whereas an account allows multiple devices to connect regardless of MAC. If you want to remove a single device from the network, with MPSK you remove the MAC from the policy, with AD credentials, they can be on multiple devices, but you can still blacklist or disallow certain MACs in your policy.
Original Message:
Sent: Nov 20, 2023 07:04 AM
From: peter elms
Subject: MPSK with user auth
thnaks for getting back Jonas and Michael,
i probably should have explained better, it a bit of a rushed posting apologies,
The customer wants to have 2 x test set up SSID's.
- 802.1x ssid (PEAP MSCHV2)
- MPSK ssid , they want to give new students a set of AD credentials (username and password) and test a guest welcome page with username and password backed off to AD and an MPSK solution.
- Thet want to test both solutions to see the best fit. I suggested the 802.1x route but they want to test both ideas. i've not done an MPSK solution before.
- cheers
- Pete
Original Message:
Sent: Nov 16, 2023 11:16 AM
From: mharing
Subject: MPSK with user auth
Jonas is correct, I think the customer may misunderstand how MPSK is implemented, it's essentially the same as a standard PSK, but can be unique per device. At our organization, we leverage MPSK for vendors to connect their devices that don't support 802.1X authentication, by doing so we can limit which devices can use a key, provide unique keys per vendor, and prevent exposure of the actual key outside our organization. In this case, WPA2/WPA3 Personal does not require a username, only a password which is derived from the RADIUS response after the MAC auth takes place. Be aware that for 6GHz/WPA3 - MPSK is not an available option (yet). If your customer is looking to leverage a unique username and password, ClearPass and Central have options for both LDAP/AD accounts or local accounts.
In my opinion, if a device supports 802.1X authentication in WPA2/WPA3 enterprise, I would go that route, but if the device does not, MPSK would probably be valuable assuming it's not a WPA3/6GHz SSID.
Alternatively, in the ClearPass service, you could reference the "Authentication Username" and "Connection Client-Mac-Address" to combine in the policy which would sort of accomplish the same idea without the MPSK being involved.
------------------------------
Michael Haring
Sr. Network and Communications Expert
Lehigh Valley Health Network
Original Message:
Sent: Nov 16, 2023 04:20 AM
From: peter.elms
Subject: MPSK with user auth
hello Airheads,
got a customer who wants to deploy MPSK solution with username and password.
They have 6.10 Clearpass and Aruba Central.
i just wondered whether anyone has done this ?
we are at the proof of concept stage and are looking at best options for a test lab.
802.1x is one but they have asked for guidance on the MPSK question.
cheers
Pete