Multi-PSK on Hostapd

Wed Aug 4 11:17:35 PDT 2021

Hi,

this is perfectly possibly. Hostapd sends a RADIUS Access-Request when a 
new station tries to connect, and the RADIUS server includes the allowed 
PSKs with this station in the Access-Accept reply message using 
Tunnel-Password attributes.
So it does not matter whether two STAs have the same PSK or not, and 
multiple PSKs per STA are also supported.

Please note that when using WPA3, you need some extra patches: 
https://patchwork.ozlabs.org/project/hostap/cover/20210416111825.3895-1-michael-dev@fami-braun.de/

Regards,
M. Braun

Am 28.07.2021 18:35, schrieb Colton Conor:
> I am seeing there is an option to use radius for WPA, but I am not
> sure if it will allow multiple devices (not limited by MAC address) to
> use the same key via radius? This would be similar to using the
> Special MAC address 00:00:00:00:00:00 can be used to configure PSKs
> that anyone can use while using the hostapd.wpa_psk method. Does
> anyone know if its possible to do this by radius? I don't think the
> actual passphrase is passed.
> 
> 
> # Optionally, WPA passphrase can be received from RADIUS authentication 
> server
> # This requires macaddr_acl to be set to 2 (RADIUS)
> # 0 = disabled (default)
> # 1 = optional; use default passphrase/psk if RADIUS server does not 
> include
> # Tunnel-Password
> # 2 = required; reject authentication if RADIUS server does not include
> # Tunnel-Password
> #wpa_psk_radius=0
> 
> On Tue, Jul 27, 2021 at 11:21 AM Colton Conor <colton.conor at gmail.com> 
> wrote:
>> 
>> Michał,
>> 
>> Thanks, this makes more sense.
>> 
>> I basically meant if you have 100 OpenWRT AP's running at an
>> enterprise, how would you in mass edit the psk file, and reload
>> accordingly across all? Most commercial vendors have a controller that
>> devices would check into to facilitate this task, or use a radius
>> server. Can radius be used with Multi-PSK?
>> 
>> On Tue, Jul 27, 2021 at 10:08 AM Michał Kazior <kazikcz at gmail.com> 
>> wrote:
>> >
>> > Hi Conor,
>> >
>> > keyid= can be used to identify which passphrase a client used. This in
>> > turn can be used to apply selective firewalling rules if so desired.
>> > vlan= filtering/assignment isn't necessarily what you want, or what
>> > you can do, depending on your system and requirements.
>> >
>> > Editing the psk file itself does not do anything. If you want to
>> > reload it you can run `hostapd_cli -i wlanX reload_wpa_psk`. It
>> > re-reads and re-applies psk file data only. If a client was connected
>> > with a passphrase that no longer exists in the psk file, it will be
>> > disconnected. Otherwise the client will be left connected.
>> >
>> > Not sure what you mean by automating it across 100s of APs though.
>> >
>> >
>> > Michal
>> >
>> > On Tue, 27 Jul 2021 at 16:40, Colton Conor <colton.conor at gmail.com> wrote:
>> > >
>> > > I am trying to figure out the proper way to have multiple PSKs on a
>> > > single SSID. Each passphrase will be used by multiple users, and each
>> > > passphrase will be tied to a VLAN.
>> > >
>> > > Reading https://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk, it
>> > > seems the proper way to do this would be:
>> > >
>> > > vlanid=10 00:00:00:00:00:00 passphrase1
>> > > vlanid=11 00:00:00:00:00:00 passphrase2
>> > >
>> > > My question is:
>> > > What is the keyid= used for typically?
>> > > Is there a way to add/remove keys using radius instead of manually
>> > > editing the hostapd.wpa_psk each time?
>> > > Does editing the hostapd.wpa_psk kick existing users offline if you
>> > > have to reload / save the file?
>> > > How would you automate this across 100's of APs at a property?
>> > >
>> > > _______________________________________________
>> > > Hostap mailing list
>> > > Hostap at lists.infradead.org
>> > > http://lists.infradead.org/mailman/listinfo/hostap
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap