One WiFi, Multiple Networks! Segment your WiFi Network with Private Pre-Shared-Keys
HTML-код
- Опубликовано: 11 июл 2024
- Do you love segmenting your network into as many subnets and VLANs as possible? Do you have too many Wifi networks for all of your special flower IoT devices that can barely speak IP, let alone fend for themselves on the wild internet? You could use WPA EAP Enterprise Authentication, but good luck getting your smart toaster to log in. The solution I'm playing with is called Private Pre-Shared Keys, where each client can potentially have their own passphrase and VLAN assignment for the same SSID, and the client just has to support normal passphrase authentication.
Using this method, along with a RADIUS server to manage clients, we can individually assign settings per-client such as their own PSK, VLAN ID, and more!
For this video, I'm using a Mikrotik wAP AC with RouterOS 7.8. I'd like to try OpenWRT in the future, but as of the making of this video it's not quite ready.
Copies of my FreeRADIUS and RouterOS configurations can be found on my blog:
www.apalrd.net/posts/2023/net...
Feel free to chat with me more on my Discord server:
/ discord
If you'd like to support me, feel free to here: ko-fi.com/apalrd
Timestamps:
00:00 - Introduction
01:19 - RouterOS WiFi Setup
04:15 - FreeRADIUS and RouterOS
08:28 - RADIUS Acceptance
12:02 - Per Client Settings
15:24 - Match by MAC OUI
17:12 - Privacy MAC Addresses
19:26 - AP Filtering
21:35 - Guest Wifi Client Isolation
22:50 - OpenWRT?
#wifi #security #networking 
Наука
Just when I though I finally had my network all ironed out, with some compromises to avoid a bunch of IOT ssid’s, you make this video. Now I have to reevaluate my layout and decide if I want to spend my weekend on this.
it's a pretty cool feature, if your APs support it
Great video # not easy but super interesting # Let me reiterate how you manage with your channel to cover topics not touched by many other tech channels, also you network knowledge is quite impressive.
Thank you so much, good sir. You are truly helping the IT world with your videos and manuals. All I could wish for is just that I've found your channel much, much earlier
That's quite neat solution.
For years, I've had my main network, with the main SSID across all wifi access points (the AP are interconnected using CAT5 1Gbps, I hate wireless bridges) and a second SSID for guests and other devices.
The guests SSIDs use a different VLAN on each router, not routable through the main LAN, and with clients isolation. They get internet using SNAT.
All of this is configured through ddWRT using really low-end routers released in 2013, but hey, they have been working well enough for many years :)
Very thorough tutorial, I'll try it soon! Thanks!
Congratulations, great project! It's inspiring and I'd love to try it myself. However, watching this makes me feel excited and a little overwhelmed at the same time.
Glad you like it! Thanks!
Fantastic video. You showed all the things I search on the internet. You're great! Thanks.
Glad it was helpful!
Oh man this was so refreshingly good. They say if you can explain complicated things simply you know them well. You my sir know them well. Thank you keep it up and I do hope this works with wave2 radios
As far as I know it does, but I don't have one to test
I started playing with this in openwrt vm with usb wifi card and it works great so far. It wasn't that complicated to setup.
Man, I didn't know you could do this. Thank you so much for sharing!
Now to work out if unifi / tplink actually supports it. Probably not, maybe time to go AP shopping 😅
Kinda late I know, but UniFi support this!
Mikrotik now supports running docker containers directly on arm and arm64 devices. you could probably install the radius server on the Mikrotik itself and then you would have a self-contained system that works even if your proxmox box goes down.
Mikrotik also has their own built-in user manager which can do the same thing, I did it this way to integrate with other RADIUS-based network stuff I'm working on
really cool now i have to figure out how to do this on my AP
Very inspiring.
Eu nem sabia que isso era possível! Parabéns!
Thanks!
Fantastic
Thanks
3:03 BillWiTheScienceFi 😂
OnlyFriends was good too.
It works in OpenWRT 23.05.0-rc1 using wpa_psk_file. Previous versions have bugs.
Not a single legacy IP in sight. It's beautiful! 🤩
Would you say it's secure to just allow any Mac address and completely rely on password based authentication?
In general password based auth is secure on its own, as long as you aren't giving the password to everyone.
With a system like this, you can give the default password to all of your friends, then use different passwords for your own devices, IoT devices, ... without creating multiple SSIDs
MAC filtering provides almost no security. Every client which connects will send it out in plaintext. The same applies to hiding the SSID.
Great tutorial! Could you show this with the omada stuff, too?
The process is nearly the same (although they use the more standard tunnel-* options in the RADIUS reply - see here www.tp-link.com/us/support/faq/3386/ ) however AFAIK it's not fully supported across all of their devices yet, and none of the devices I have do support it.
Hello,
great project, thanks.
How can I get the dictionary for TP-link Omada controller?
Did you ever look back at OpenWRT and whether that’s supported now? I’d love to have this kind of setup for non WPA3 clients without committing to an old radio
How are you making sure all this configuration is backed up. My Problem is i got so many things like this running cloud vps projects that I wont remember how to get them back up cause its normally 1 and done and never touch it again.
On Mikrotik, you can do export the entire configuration to file and save the file. To rebuild, do a factory reset then load the configuration file. For the rest of it, I can do backups in Proxmox for the whole container / VM.
Wireless Access Point was not my first guess on why it was called WAP.
Are devices on the same collision (and broadcast) domain? IoT (internet of trash) devices are getting more and more sneaky about finding ways to phone home.
The VLAN option will segregate them (assuming your switches support VLAN tagging), so they will be on the same broadcast domain as the VLAN ID.
The forwarding option will prevent packets from forwarding across the AP, but not across other devices on the wired broadcast domain (including devices on other APs).
The PSK option has no affect on packet forwarding, just authentication.
Hi, I have 2 questions not directly connected to topic of the video. Have you tested outdoor range of wap ac? Does it support wifiwave2? I’m looking for outdoor ap which can cover around 100m and I see 2 options wap ac or tp link eap225 outdoor. Ubiquiti ap mesh is not available for months. All Wi-Fi 6 options are out of my budget.
I have the older wAP AC (which has a different radio chip than the 'new' version, and only one Ethernet port), so it wouldn't help you a ton. It doesn't support WifiWave2.
I do have an EAP225-Outdoor and it works well though.
@@apalrdsadventures thanks! I’ll buy eap225 outdoor, it has antennas with higher gain included.
Can you match clients based on the PSK they supply? For example, use one SSID and allow anyone to connect… but based on the PSK supplied throw them into a certain VLAN? password1 = VLAN1, password2 = VLAN2, no password given = walled off VLAN with client isolation and limited bandwidth?
This seems like a more elegant approach then worrying about max addresses. Is this possible maybe with multiple default rules and fall-through yes arguments?
I guess I should have mentioned I’m coming from a UniFi environment and I guess this is called PPSK and isn’t something that would work with UniFi. Shame.
The WPA2 4-way handshake is designed so both sides need to mutually know the PSK for them to be able to exchange their pairwise keys. So no, there is no knowledge of which PSK was entered, and this is by design in WPA2.
A few vendors 'hack' this by keeping a (short) list of all of the possible PSKs at the AP and trying to calculate all of the possible key versions from this list (and seeing if it can decrypt the client message using any of them) but this doesn't scale and WPA3 has better cryptography which prevents this.
Does this method only work with Mikrotik devices? I noticed that the return parameters of radius are Mikrotik related
There are other companies that offer this, although in general not on the lower end of WiFi gear.
TP-Link has started to add the feature to Omada (at least the per-MAC VLANs bit), although as far as I know it hasn't rolled out to the firmware on all of the AP models yet.
Why not use buildin Radius server? "User Manager is RADIUS server implementation in RouterOS"
It would work just fine with the Mikrotik radius server. In my case, I'm trying a few different types of services that need RADIUS authentication (WiFi and 802.1X) and playing with both Mikrotik and OpenWRT, so putting it in one place makes sense to me.
@@apalrdsadventures Guess its the same answer for OPNsense as well?
OPNsense can also run a RADIUS server as a plugin and auth to RADIUS for some of its services (such as OpenVPN), although in this case I'd prefer to learn the basics of how it works before deciding which server platform to use. I am still open to finding a better RADIUS server / GUI, but it's not all that hard to write an authorize file at the small scale I'm working with.
You lost me before the 2-minute mark ... is RouterOS something i can install in place of dd-wrt, or do i need that particular hardware... what is winbox ... etc.
RouterOS is the software platform for Mikrotik's hardware, and Winbox is their management tool. I'd like to do this in OpenWRT (which you can install on other off-the-shelf wifi routers), but it's not quite there yet.
I have one question about mobile devices (with generated MAC addresses) Solution you used is for every phones (every devices with dynamic MAC adrs) Is there a way to connect differently phones which are from family members so that only visitors has different vlan ? I hope that I describe what I want to do, my English is not so good :-)
The mobile devices generate a random MAC, but it does not change over time for the same network. So you can initially log them in with the 'default' password, find the MAC they are using, and then change the password for that MAC specifically.
Visitors get the default password / vlan.
@@apalrdsadventures WoW I did not realized that. Thank you a lot.
@@apalrdsadventures I have microtik as main router. So I tried to figureout how to setup this only with UserManager as a Radius server. But I did not find out how to do something as you did with mobile generated MAC adrs. So I thing, that I have to setup Radius server as you did. Thank you a lot for this video.
I'm guessing their UserManager has an implicit default deny if there is no user. Instead, I have default accept with a default password.
I just use plain HostAPd on Debian, works great with Mikrotik miniPCIe interfaces passed to a VM and no need to touch this horrible Router OS.
Even without Radius, you could get by with a main network for guest AP (isolated stations, even bridged to VPN) and two hidden additional SSIDs for separate VLAN nets of IoT that should not be allowed Internet and your private WLAN net for known devices.
RouterOS really isn't that bad once you get over the fact that the interface looks old. It's extremely functional.
hostapd itself should support this if the hardware does, it's just OpenWRT that is currently lacking the ability to configure hostapd for this.
@@apalrdsadventures I do not have a problem with UI itself, but the fact that it is a proprietary appliance. Moreover with WinBox being their main effort as a management tool, windows app FFS.. And licenses.. ugh, it all smell corporate BS similar to anything legacy MS related..
Hardware is good, no problems with that.
As far as proprietary software goes, it's one of the better ones. No recurring licensing fees, all software fully unlocked when you buy any of their hardware, perpetual updates for a very long time including new enhancements, ...
Man do you know if there is away to do this with Unifi AP?
They can do VLAN assignment but not individual PSKs
I am using an Asus router but it does not support VLAN. I want to use vlan. What can I do?
Get a new router? Or maybe use OpenWRT on it?
@@apalrdsadventures The router I bought is new anyway. When I bought it, I didn't even think that it wouldn't have vlan support because it is an expensive router with wifi6 support. Maybe I can set up a virtual server in my proxmox and use it as openwrt or pfsense and use asus only as access point. Do you think this makes sense?
Will this work on unifi ap?
No, Unifi's software doesn't support this.
@@apalrdsadventures i see, thanks for your video, I really want to try out WPA3 PPSK, but sadly i use unifi AP with OPNSense, But do you know does wpa3 supports ppsk, i heard some people said it's supported but some said it's not supported.
Some systems (like TP-link Omada) will basically keep a small list of possible PSKs and try all of them during the WPA2 handshake so you don't have to manually associate MACs with PSKs. That method is not possible with WPA3.
However, as far as I know, you can still do PPSK based on MAC in WPA3.
Is there any way to do VLAN assignment based on the passwords they use? ie. you have 1 SSID, and 20 passwords, and depending on which password they use, they go to a specific VLAN? (edit - you don't know their MAC address beforehand. In my scenario it would be a 20-room Hotel, and each room is on it's own VLAN)
No. In WiFi authentication, the AP's MAC (the BSSID) is always broadcast and the client initiates the connection with only their MAC address in the clear, so all we have to go on (at least without EAP) is the MACs. The two sides need to go through the 4-way handshake to determine the session key for that specific client, and both sides must mutually prove to each other that they know the PSK.
If all of your clients are modern phones and tablets you can use WPA2-EAP, where the client provides a username and password instead of a PSK. In that mode, both the username and password are passed to the RADIUS server for it to accept/reject the client. But a lot of lesser clients don't support EAP.
In your case, a more traditional captive portal method would probably be best.
@@apalrdsadventures I'm pretty sure the TP-Link Omada setup can do this so it must be possible. They might be faking it, though. They might test one PSK with the first handshake, and if that fails they'll test another PSK when the client retries.
It's definitely not possible without violating the standards. The two sides exchange random values with each other, and independently compute the pairwise key based on their MAC addresses, exchanged random values, and mutually known PSK. Neither side ever transmits the PSK. If either side has the wrong key, they will fail to communicate and will only know that the key did not match (no information about the key itself is actually exchanged).
Since some devices will try again a few times maybe TP-Link is relying on that, then at best they can have 2 or 3 keys before clients start to give up entirely.
It's admirable you managed to do this, but licensing of microtik is quite strict. I'm not even sure I can use one router and few access points for home use
🇨🇳