MPSK with Aruba wifi controllers

Matt Haught
Matt Haught
MPSK with Aruba wifi controllers

MPSK stands for Multi-PreShared Key, and unlike a normal PSK SSID like you have with your home WiFi where you can only have one PSK per SSID, with MPSK you can have many PSKs per SSID. At my work we try to push everyone to use a WAP2-Enterprise/EAP-TLS SSID, but there are many devices, especially IoT, that simply cannot onboard the required certificates. Normally we have those devices use an open MAC-Auth SSID or a custom single-PSK WPA2-Personal SSID. More and more IoT devices are requiring encryption, and rightly so, so the open SSID is not going to work. Sharing a single PSK for possibly hundreds of admins in various departments/units or lots of individual SSIDs just isn't feasible or manageable.

So in comes MPSK with our Aruba controllers and our Radiator radius deployment. With MPSKs in the Aruba environment, when a device connects to the WPA-Personal SSID, the controller will send the normal Access-Request message to the radius server and the radius server will respond with an Access-Accept message with a special Aruba vendor-specific attribute (VSA) containing what the device should use for it's PSK to the controller. As you can imagine, you can then have every device or groups of devices have their own PSK - all using one SSID. With groups of devices, their PSK can easily be changed for whatever reason without affecting others.

In our case, we had an existing homegrown MAC-Auth system, so we leveraged it to use with the MPSK SSID. The MAC-Auth system allows people to self-manage containers of devices all from a web database frontend, and we simply added a MPSK field to the table defining containers and a little work on the admin side.

For the controllers, you just set them up like you would any other MAC-Auth SSID and have it setup for WPA2-Personal.

For radius, you just need to set your radius server to return the correct VSA, Aruba-MPSK-Passphrase with the container PSK on success. We are lucky to use Radiator, as it's config is really simple and straightforward. Here is an example:

<AuthBy GROUP>
    Identifier        My-MPSK-Auth
    <AuthBy SQL>
        DBSource      %{GlobalVar:DBSource}
        DBUsername    %{GlobalVar:DBUsername}
        DBAuth        %{GlobalVar:DBAuth}

        AuthSelect SELECT NULL, u.username, c.mpsk \
                    FROM devices d \
                    LEFT JOIN device_users du \
                        ON du.container_id = d.container_id \
                    LEFT JOIN users u \
                        ON = du.user_id \
                    LEFT JOIN containers c \
                        ON = du.container_id \
                    WHERE d.mac = "%{User-Name}" \
                    LIMIT 1

        AuthColumnDef 0, User-Password, check
        AuthColumnDef 1, User-Name, reply
        AuthColumnDef 2, Aruba-MPSK-Passphrase, reply

So in this example, we use the User-Name variable from the controllers Access-Request, which will be the MAC address of the device, and use it in the SQL query from which the resulting row columns will be used for the User-Name and Aruba-MPSK-Passphrase attributes we send in the Access-Accept message.

One thing to remember is that the radius server will return an Access-Accept even if the device is using the incorrect PSK since the controller is actually checking if it matches, and doesn't check until it gets a response from the radius server. You will have to look at the controller logs for a log similar to MIC failed in WPA2 Key Message 2 from Station {client_mac} {ap_mac} {ap-name} to see a bad-PSK issue.