• All Files
Aruba Central Online Help
You are here: Home > Managing Access Points > Configuring Access Points > Support for Multiple PSK in WLAN SSID

Support for Multiple PSK in WLAN SSID

Aruba Central (on-premises) allows you to configure multiple PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. (MPSK) in WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network profiles that include APs running a minimum of Aruba InstantOS 8.4.0.0 firmware version and later. MPSK enhances the WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK mode by allowing device-specific or group-specific passphrases, which are generated by ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. and sent to the Instant Access Point (IAP).

WPA2 PSK-based deployments generally consist of a single passphrase configured as part of the WLAN SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. This single passphrase is applicable for all clients that associate with the SSID. Starting from Aruba InstantOS 8.4.0.0, multiple PSKs in conjunction with ClearPassClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. Policy Manager are supported for WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. and WPA2 PSK-based deployments. Every client connected to the WLAN SSID can have its own unique PSK.

A MPSK passphrase requires MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK-based encryption. The Aruba-MPSK-Passphrase radius VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. is added and the ClearPass Policy Manager server populates this VSA with the encrypted passphrase for the device.

The workflow is as follows:

  1. A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase.
  2. The device associates with the SSID using wpa2-psk-aes encryption and uses MPSK passphrase.
  3. The IAP performs MAC authentication of the client against the ClearPass Policy Manager server. On successful MAC authentication, the ClearPass Policy Manager returns Access-AcceptResponse from the RADIUS server indicating successful authentication and containing authorization information. with the VSA containing the encrypted passphrase.
  4. The IAP generates a PSK from the passphrase and performs 4-way key exchange.
  5. If the device uses the correct per-device or per-group passphrase, authentication succeeds. If the ClearPass Policy Manager server returns Access-RejectResponse from RADIUS server indicating that a user is not authorized. or the client uses incorrect passphrase, authentication fails.
  6. The IAP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the IAPs within a single cluster. The cache can also be shared with standalone IAPs in a different cluster provided the APs belong to the same multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Each IAP first searches the local cache for the MPSK information. If the local cache has the corresponding MPSK passphrase, the IAP skips the MAC authentication procedure, and provides access to the client.

When multiple PSK is enabled on the wireless SSID profile, make sure that MAC authentication is not configured for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication. Multiple PSK and MAC authentication are mutually exclusive and follows a special procedure which does not require enabling MAC authentication in the WLAN SSID manually. Also, ensure that the RADIUS server configured for the wireless SSID profile is not an internal server.

Points to Remember

The following configurations are mutually exclusive with MPSK for the WLAN SSID profile and does not require to be configured manually:

  • MPSK and MAC authentication
  • MPSK and Denylisting
  • MPSK and internal RADIUS server

Configuring Multiple PSK for Wireless Networks

To configure multiple PSK for wireless networks, complete the following steps:

  1. In the Network Operations app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click WLANs tab.

    The WLANs detail page is displayed.

  5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
  6. Click the Security tab.
  7. Select Personal from the Security Level. The authentication options applicable to the Enterprise network are displayed.
  8. From the Key Management drop-down list, select the MPSK-AES option.
  9. From the Primary Server drop-down list, select a server. The radius server selected from the list is the CPPM server.
  10. Click Save Settings.

Enabling MPSK Local for Wireless Networks

To configure MPSK Local for wireless networks, complete the following steps:

  1. In the Network Operations app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click WLANs tab.

    The WLANs detail page is displayed.

  5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
  6. Click the Security tab.
  7. Select Personal from the Security Level.

    The authentication options applicable to the personal network are displayed.

  8. From the Key Management drop-down list, select the Mpsk Local option.
  9. From the Mpsk Local drop-down list, select an MPSK Local profile.

    MPSK Local feature is supported for Aruba InstantOS 8.7.0.0 or later versions. You cannot select an MPSK Local profile from the Mpsk Local drop-down list if the AP version is less than 8.7.0.0.

  10. Click Save Settings.