Skip to main content

Telecoms: ePSK - Multiple Pre-Shared Keys

Originally posted on the Cambium Community Networks

Just in case you missed it cnMaestro Version 2.2.1 (Cloud and On-Premise), brings us a great new feature called ePSK. If you’re not familiar with ePSK it’s maybe because Cambium are too modest to toot their own trumpet so I’m going to do it for them.

In short ePSK gives each user a unique PSK (pre-shared key) when using WPA2-Personal, for me to explain why this is such a useful feature let me first explain the problem with using a shared PSK across the whole WLAN.

When a wireless client connects to an AP it completes a 4-Way handshake, this generates the encryption keys used to encrypt wireless traffic. For the 4-way handshake to work it is a requirement that both the client and AP know the passphrase, however the passphrase is never transmitted over the air thereby making this exchange reasonably secure.

But what happens when a 3rd party already knows the passphrase? It means they just need to capture the 4-way handshake to generate the encryption keys and decrypt your wireless traffic.

Have you ever been to a coffee shop, restaurant or hotel where everyone shares the same PSK for a guest network? Because the PSK is publicly shared your traffic can potentially by captured and decrypted.

ePSK gives each user a unique PSK, this means that no-one else knows your passphrase making the whole process much more secure.

Below is a screenshot from Wireshark, on the left ePSK is used so I couldn’t decrypt the traffic as I did not know the PSK and on the right I have been able to decrypt the traffic as a shared PSK was used:

wireshark.png
wireshark.png1543×464 103 KB

If you’re ever deploying guest Wi-Fi and want to secure communications, ePSK is a great way to do it. But this can also be applied to other environments as well, for example in a small business without the skillset to operate a RADIUS Server they could utilise ePSK quite easily, giving them a more secure option than standard WPA2-PSK.

Using ePSK in cnMaestro is easy to do and mostly self-explanatory. It can be found under WLANS > “WLAN name” > ePSK

ePSK.png
ePSK.png1917×554 45 KB

One nice feature is the ability to generate bulk PSKs which can be exported and distributed out to users as needed.

Another useful feature is the ability to assign different PSKs to different VLANs. For example, if your issuing a PSK to someone in the Finance Department they might be on VLAN20 but if your issuing a PSK to someone in the Sales Department they might be on VLAN30, all from one SSID.

Admittedly Cambium aren’t the first to introduce to introduce multiple PSKs, Ruckus and Aerohive have released similar features but in my experience their solutions are at a higher cost.

So credit where credit is due, this is a great feature that’s clearly been well thought out. Well done Cambium.

Labels:

Comments

Post a Comment

Popular posts from this blog

7 Apps You Should Delete Right Now And Why the Law Makes Them Dangerous

  There is a conversation happening in security research circles, government agencies, and regulatory bodies around the world, and most Papua New Guineans are not part of it. It concerns a small group of applications that sit on hundreds of millions of Android and iOS devices, including many in PNG, quietly running in the background, collecting data, and transmitting that data to servers governed by a legal system that has no obligation to protect you. In PNG, where mobile phones are the primary gateway to banking, communication, and identity, this risk is amplified. For many users, a smartphone is not just a device. It is their wallet, their ID, and their connection to essential services. This is not about a theoretical vulnerability or an obscure technical exploit. It is about the intersection of consumer software and national law, specifically the legal architecture that governs what foreign technology companies must do when their government asks for your data. The Legal Foun...
Post a Comment
Read more

Tales of Somare: An old man loses a friend

Originally posted by Lucy Kopana on Facebook 82-year-old Nanong Gideon Ahe placed a hand on his chest and managed to utter through his tears, "em barata dai ya". He wiped his tears and looked down at the photo he had in his hand. It was a laminated picture of him and his schoolmates at the Administrative College in Port Moresy, in 1965.  Lapun Nanong pointed to  where he was in the photo and went on to call his mates by name, and where they were from. Amongst them were Albert Maori Kiki, Jerry Nalau, and Michael Somare to name a few.  These were the founding members of the Bully Beef Club that was formed at the Administrative College. "Mipla olgeta sanap ya, liklik liklik tingting mipla i save tromoi lo taim blo kaikai rais wantem bully beef ya."  While the three and others in the club chose the political path and went on to becoming key figures in PNG politics - Nanong Ahe chose a path in the civil service. He paid tribute to his friend, the late Sir Michael Somare...
Post a Comment
Read more