Wireless Access

Good evening.  We have an Aruba AOS 6.4 master/local wireless controller architecture.  As I understand it, the AP configuration is downloaded to the AP from the controller on boot.  If we are using WPA2-PSK in our environment, is the configured pre-shared key within the SSID profile actually downloaded to AP, and when a client attempts to connect to the network the authentication is taking place between the client and the AP?  If this is the case, is the WPA2 passphrase stored on the AP in the form of a hash and not plain text?

Or, if not what I mentioned above, when the client attempts to connect is the authentication request forwarded to the controller to process?  Thanks in advance.

Hi,

This document can help you understand the level of security Aruba overall Secure Infrastructure between AP and Controller.

The access points receive encrypted wireless frames from the radio interface and immediately packages these encrypted wireless frames into an IP tunnel to the mobility controller. Once at the mobility controller, the IP tunnel packet header is removed and what remains is an encrypted 802.11 Wi-Fi frame. The controller then processes this frame, decrypting it and turning it back into a standard routable IP packet. Access points never have access to encryption keys, and they are unable to process the Wi-Fi traffic locally.

https://www.arubanetworks.com/assets/so/SO_SecureInfrastructure.pdf

Thanks for the quick reply and link for the security document.  I understand that the user data from the client is encrypted and sent from the AP to the controller via a GRE tunnel, and that controller decrypts the user data.  I may have been a little vague when asking the question or I do not totally understand, which is more likely the case.   But, when a user attempts to connect to a SSID that is hidden and not broadcast in a WPA2-PSK environment, the following occurs:

1.  User manually inputs the SSID.

2.  User manually inputs the pre-shared key.

After step 2 above and the user selects "connect", is that information sent to the controller to verify that the user entered pre-shared key is correct as per what is configured in the SSID profile? If the pre-shared key is correct, the client connects to the SSID.  If not, then the client is not able to connect.

Yes, you are right. Access points never have access to encryption keys, and they are unable to process the Wi-Fi traffic locally. 

The 802.11 association and authentication proces for hidden or non-hidden is the same.

Your SSID still send beacon frames but with a wilcard SSID in it.

Never use hidden SSID because it have no security purpose because your SSID is still visible with capture monitor software like Wireshark. And because hidden SSIDs can give you roaming issues for your client devices.

Thanks for the additional information.  The SSID is also set to not broadcast.  Would I be correct to say that after connecting to a SSID the WPA2 passphrase is stored on the laptop as a hash value?  Or, is it stored on the laptop as plain text that can easily be viewed?

On a windows devices you can find the wpa2 in cleartext with this CLI command (but also through the GUI).

C:\ netsh wlan show profile HomeLAB-MPSK key=clear | findstr Key

Key Content : mypassword

If you have concerns about wpa2-personal security i would recommend wpa2-enterprise with certificate base authentication (EAP-TLS) through a radius server like Aruba ClearPass.

Note. WPA2-Personal is strong as people knowns the key or the key is not strong enough to guess with bruteforce technics.

Aruba ClearPass also support MPSK (MultiplePSK) so each device have a unique PSK based on the mac-address of the device.

Thanks for all the replies with informative information.  All your posts have been great.  Thanks again.