Multi-PSK on Hostapd

[Colton Conor]

Steve,

Understood on the full RADIUS 802.1X auth side, but this is for an MDU
setting where clients are in BYOD, and most of those devices don't
support 802.1X. So we don't know the client's MAC beforehand, and want
to give each unit a single passphrase to use for all of their devices
within that unit.

Is it easy to make custom Access-Request variables in Hostapd? This
seems to be how commercial vendors are doing this.  Ruckus for
example: https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-E0AD67EA-91EB-473D-9F14-1C7A3ADC1F1B.html
and https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-2392DF4B-DBE7-4DD5-868E-6222118BE6D4.html

On Wed, Aug 11, 2021 at 11:44 AM Steve deRosier <derosier at gmail.com> wrote:
>
> Hi Colton,
>
>
> On Tue, Aug 10, 2021 at 7:02 PM Colton Conor <colton.conor at gmail.com> wrote:
>>
>> Michael,
>>
>> From the sounds of it, we don't have to convert the passphrase to the
>> psk format. From what you are saying, HostAPD does that automatically?
>>
>
> Yes, if the RADIUS server sends the plain-text passphrase, hostapd does the right thing automatically.
>
>>
>> How does this work if you don't know the MAC address of the client
>> beforehand, and only want to authenticate them based on the passphrase
>> they entered? The passphrases would have to be stored on the radius
>> server already, but they wouldn't already be associated with a MAC
>> address.
>
>
> The short answer is you can't.  Not without non-trivial changes to the code on both ends, and even then it's tricky and has various problems.
>
> What most people do at the point you're talking about is implement a full RADIUS 802.1X auth system. Usually requires certificates and other things managed by IT.  But if you're giving personal PSKs to people, and managing that in RADIUS anyway, so you're already managing tokens for people.  There's extensive documentation, online articles, and books written on the subject, so you should start there.
>
> - Steve
>