Skip to main content

Telecoms: ePSK - Multiple Pre-Shared Keys

Originally posted on the Cambium Community Networks

Just in case you missed it cnMaestro Version 2.2.1 (Cloud and On-Premise), brings us a great new feature called ePSK. If you’re not familiar with ePSK it’s maybe because Cambium are too modest to toot their own trumpet so I’m going to do it for them.

In short ePSK gives each user a unique PSK (pre-shared key) when using WPA2-Personal, for me to explain why this is such a useful feature let me first explain the problem with using a shared PSK across the whole WLAN.

When a wireless client connects to an AP it completes a 4-Way handshake, this generates the encryption keys used to encrypt wireless traffic. For the 4-way handshake to work it is a requirement that both the client and AP know the passphrase, however the passphrase is never transmitted over the air thereby making this exchange reasonably secure.

But what happens when a 3rd party already knows the passphrase? It means they just need to capture the 4-way handshake to generate the encryption keys and decrypt your wireless traffic.

Have you ever been to a coffee shop, restaurant or hotel where everyone shares the same PSK for a guest network? Because the PSK is publicly shared your traffic can potentially by captured and decrypted.

ePSK gives each user a unique PSK, this means that no-one else knows your passphrase making the whole process much more secure.

Below is a screenshot from Wireshark, on the left ePSK is used so I couldn’t decrypt the traffic as I did not know the PSK and on the right I have been able to decrypt the traffic as a shared PSK was used:

wireshark.png
wireshark.png1543×464 103 KB

If you’re ever deploying guest Wi-Fi and want to secure communications, ePSK is a great way to do it. But this can also be applied to other environments as well, for example in a small business without the skillset to operate a RADIUS Server they could utilise ePSK quite easily, giving them a more secure option than standard WPA2-PSK.

Using ePSK in cnMaestro is easy to do and mostly self-explanatory. It can be found under WLANS > “WLAN name” > ePSK

ePSK.png
ePSK.png1917×554 45 KB

One nice feature is the ability to generate bulk PSKs which can be exported and distributed out to users as needed.

Another useful feature is the ability to assign different PSKs to different VLANs. For example, if your issuing a PSK to someone in the Finance Department they might be on VLAN20 but if your issuing a PSK to someone in the Sales Department they might be on VLAN30, all from one SSID.

Admittedly Cambium aren’t the first to introduce to introduce multiple PSKs, Ruckus and Aerohive have released similar features but in my experience their solutions are at a higher cost.

So credit where credit is due, this is a great feature that’s clearly been well thought out. Well done Cambium.

Labels:

Comments

Post a Comment

Popular posts from this blog

Trump’s Policies and Their Impact on Papua New Guinea and the Pacific Islands

With Donald Trump taking office as the 47th president of the United States, his administration quickly embarked on sweeping and polarizing policy changes. Through a series of executive orders, Trump underscored his administration's focus on reshaping U.S. policies in areas such as immigration, trade, climate, and foreign aid. While these efforts are primarily centered on advancing U.S. domestic interests, their repercussions are set to ripple across the globe, especially in regions like the Pacific Islands, where economic and environmental challenges are deeply tied to global policies. For Papua New Guinea (PNG) and its Pacific neighbors, Trump’s policies pose both challenges and potential opportunities. These small island nations depend heavily on international trade, foreign aid, and climate action, all of which are areas of uncertainty under the new administration. Key decisions, such as the U.S. withdrawal from the Paris Climate...
Post a Comment
Read more

Defending Freedom of Speech: The Implications of Facebook Censorship in Papua New Guinea

The Papua New Guinea (PNG) government's recent move to regulate Facebook has sparked significant debate. Citing concerns over misinformation and social unrest, authorities have tested ICT controls to monitor and potentially restrict access to the platform. While the intention is to promote responsible social media use, this action raises critical questions about freedom of expression in the country. The Government's Justification for Facebook Regulation Authorities argue that Facebook has become a conduit for malicious content, including fake news and defamatory material, which could endanger public safety. By implementing a temporary ban or stricter controls, they aim to assess the platform's impact and develop strategies to mitigate these risks. This approach, they claim, is necessary to maintain social harmony and protect citizens from harmful content. However, this rationale has been met with skepticism. Critics contend that such measures...
Post a Comment
Read more