Multi-PSK on Hostapd

Colton Conor colton.conor at gmail.com
Tue Aug 10 19:00:08 PDT 2021 

Michael,

>From the sounds of it, we don't have to convert the passphrase to the
psk format. From what you are saying, HostAPD does that automatically?

How does this work if you don't know the MAC address of the client
beforehand, and only want to authenticate them based on the passphrase
they entered? The passphrases would have to be stored on the radius
server already, but they wouldn't already be associated with a MAC
address.

On Tue, Aug 10, 2021 at 3:12 PM michael-dev <michael-dev at fami-braun.de> wrote:
>
> Hi,
>
> Hostapd sends the SSID, NAS-Identifier and STA MAC address among others.
>
> It accepts the passphrase and the psk. The psk is basically a hash of
> passphrase and ssid but does *not* include/use Anonce, Snonce, MIC and
> others. Hostapd takes care of all derived keys automatically just like
> when you configure it locally.
>
> The radius server needs to accept the access request (authenticated by
> shared secret between hostapd and radius server) and to send an access
> accept reply. This can be done using freeradius using the files plugin.
>
> My current config can be found here:
> https://bitbucket.fem.tu-ilmenau.de/projects/CAMPUSWLAN/repos/fem-wlan/browse/configs/controller/etc/raddb.fem
> . It is not a stripped down example, but the wlanchecker configuration
> part is really all that is needed (sites-available/default,
> modules/files, wlanchecker). Tunnel-Password is the passphrase or PSK.
> Cleartext-Password is the station mac address here (mapping given by
> hostapd). More insight also gives the hwsim test for radius
> http://w1.fi/cgit/hostap/tree/tests/hwsim/test_radius.py (line 1170++)
>
> Regards,
> M. Braun
>
> Am 05.08.2021 00:39, schrieb Colton Conor:
> > Michael,
> >
> > Thanks for the information. What information does Hostapd send to the
> > radius server to be able to computate the PSK, and compare it to the
> > keys in the radius database? Does it send the Anonce, Snonce, MIC,
> > EAPOL-Key-Frame, or any other information in the RADIUS Access-Request
> > to compute the key?
> >
> > What would need to be set up on the radius server?
> >
> > On Wed, Aug 4, 2021 at 1:18 PM michael-dev <michael-dev at fami-braun.de>
> > wrote:
> >>
> >> Hi,
> >>
> >> this is perfectly possibly. Hostapd sends a RADIUS Access-Request when
> >> a
> >> new station tries to connect, and the RADIUS server includes the
> >> allowed
> >> PSKs with this station in the Access-Accept reply message using
> >> Tunnel-Password attributes.
> >> So it does not matter whether two STAs have the same PSK or not, and
> >> multiple PSKs per STA are also supported.
> >>
> >> Please note that when using WPA3, you need some extra patches:
> >> https://patchwork.ozlabs.org/project/hostap/cover/20210416111825.3895-1-michael-dev@fami-braun.de/
> >>
> >> Regards,
> >> M. Braun
> >>
> >> Am 28.07.2021 18:35, schrieb Colton Conor:
> >> > I am seeing there is an option to use radius for WPA, but I am not
> >> > sure if it will allow multiple devices (not limited by MAC address) to
> >> > use the same key via radius? This would be similar to using the
> >> > Special MAC address 00:00:00:00:00:00 can be used to configure PSKs
> >> > that anyone can use while using the hostapd.wpa_psk method. Does
> >> > anyone know if its possible to do this by radius? I don't think the
> >> > actual passphrase is passed.
> >> >
> >> >
> >> > # Optionally, WPA passphrase can be received from RADIUS authentication
> >> > server
> >> > # This requires macaddr_acl to be set to 2 (RADIUS)
> >> > # 0 = disabled (default)
> >> > # 1 = optional; use default passphrase/psk if RADIUS server does not
> >> > include
> >> > # Tunnel-Password
> >> > # 2 = required; reject authentication if RADIUS server does not include
> >> > # Tunnel-Password
> >> > #wpa_psk_radius=0
> >> >
> >> > On Tue, Jul 27, 2021 at 11:21 AM Colton Conor <colton.conor at gmail.com>
> >> > wrote:
> >> >>
> >> >> Michał,
> >> >>
> >> >> Thanks, this makes more sense.
> >> >>
> >> >> I basically meant if you have 100 OpenWRT AP's running at an
> >> >> enterprise, how would you in mass edit the psk file, and reload
> >> >> accordingly across all? Most commercial vendors have a controller that
> >> >> devices would check into to facilitate this task, or use a radius
> >> >> server. Can radius be used with Multi-PSK?
> >> >>
> >> >> On Tue, Jul 27, 2021 at 10:08 AM Michał Kazior <kazikcz at gmail.com>
> >> >> wrote:
> >> >> >
> >> >> > Hi Conor,
> >> >> >
> >> >> > keyid= can be used to identify which passphrase a client used. This in
> >> >> > turn can be used to apply selective firewalling rules if so desired.
> >> >> > vlan= filtering/assignment isn't necessarily what you want, or what
> >> >> > you can do, depending on your system and requirements.
> >> >> >
> >> >> > Editing the psk file itself does not do anything. If you want to
> >> >> > reload it you can run `hostapd_cli -i wlanX reload_wpa_psk`. It
> >> >> > re-reads and re-applies psk file data only. If a client was connected
> >> >> > with a passphrase that no longer exists in the psk file, it will be
> >> >> > disconnected. Otherwise the client will be left connected.
> >> >> >
> >> >> > Not sure what you mean by automating it across 100s of APs though.
> >> >> >
> >> >> >
> >> >> > Michal
> >> >> >
> >> >> > On Tue, 27 Jul 2021 at 16:40, Colton Conor <colton.conor at gmail.com> wrote:
> >> >> > >
> >> >> > > I am trying to figure out the proper way to have multiple PSKs on a
> >> >> > > single SSID. Each passphrase will be used by multiple users, and each
> >> >> > > passphrase will be tied to a VLAN.
> >> >> > >
> >> >> > > Reading https://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk, it
> >> >> > > seems the proper way to do this would be:
> >> >> > >
> >> >> > > vlanid=10 00:00:00:00:00:00 passphrase1
> >> >> > > vlanid=11 00:00:00:00:00:00 passphrase2
> >> >> > >
> >> >> > > My question is:
> >> >> > > What is the keyid= used for typically?
> >> >> > > Is there a way to add/remove keys using radius instead of manually
> >> >> > > editing the hostapd.wpa_psk each time?
> >> >> > > Does editing the hostapd.wpa_psk kick existing users offline if you
> >> >> > > have to reload / save the file?
> >> >> > > How would you automate this across 100's of APs at a property?
> >> >> > >
> >> >> > > _______________________________________________
> >> >> > > Hostap mailing list
> >> >> > > Hostap at lists.infradead.org
> >> >> > > http://lists.infradead.org/mailman/listinfo/hostap
> >> >
> >> > _______________________________________________
> >> > Hostap mailing list
> >> > Hostap at lists.infradead.org
> >> > http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list