How to Implement Role-Based Access Control Using a Pre-Shared Key SSID Without MAC Authentication?

Before reading the article, please note that all concepts are tested and explained using Alcatel-Lucent enterprise products.

SSID With Pre-Shared Key

The User device is associated with the Wireless access point using a pre-shared key(PSK). Once the correct pre-shared key is entered on the user device, it will obtain an IP address and gain access to the network/internet.

Pros: Easy to use and typically used on Voice devices that do not support roaming standards

Cons: All devices connected to the SSID will be in the same VLAN (Broadcast Domain) & Subnet. For example, you can imagine a Scenario where we have VoIP phones across different departments, such as the Doctor, Finance, HR, and Janitorial, etc. and a requirement we need to record all the VoIP conversations of the Doctor, Finance and HR in different servers, like Doctor calls in Server A 1.1.1.x/24, Finance staff calls in Server B 2.2.2.x/24 etc.

 To meet the above requirements, we need to create a PSK SSID for each department, ensuring that each department is assigned to a different VLAN and that only the specific department's calls are recorded on the corresponding server.

As we all know, the Number of SSIDs is indirectly proportional to Performance.

Let's explore the options we have for a single pre-shared key-based SSID broadcast by the access point. We can use different pre-shared keys to connect to the SSID, allowing user devices allocated in various departments to fall into different broadcast domains.

For Example,

SSID Broadcasted by the AP is -- MPSK

The device uses a pre-shared key “doctordept” and is associated with SSID MPSK, which will fall in VLAN 14

The device uses a pre-shared key “financedept” and is associated with SSID MPSK, which will fall in VLAN 12

Option-1: Device-specific pre-shared key

In this SSID, the MAC address of every device is added to the RADIUS server, along with the pre-shared key and the user role, which is tied to the VLAN. In short, you can have different devices with different pre-shared keys connecting to the identical SSID but falling into different VLANs.

After association, the User's device MAC address will be validated by the AP (Authenticator) with Radius.

The User device gains access to the network/Internet if its MAC address is present in the Radius and the Pre-shared key entered on the user device matches the pre-shared key associated with the MAC address in the Radius.

Flow the frames/Packets as below.

Pros:

1)       Easy to use and no change for the user to get associated with the wireless network

2)      Extra layer of Security with MAC Authentication. Typically used with devices that do not require mobility or roaming.

Cons:

1)      Every time a user device moves from AP1 to AP2 or vice versa, the user device needs to undergo MAC authentication. This leads to the Roaming time of the user device from AP1 to AP2 or vice versa, depending on the wired network latency between AP/Authenticator and Radius

2)      Devices using a Random MAC address feature require additional effort by network administrators.

3)      Works only with WPA2

If you are using the Alcatel-Lucent enterprise solution, you configure the Device-specific pre-shared key under the computer property.

Option 2: Private Group Pre-shared key (PPSK)

In Private Group Pre-shared key SSID, the primary objective is to eliminate dependency on the network for wireless Roaming of devices from AP1 to AP2 or vice versa, and to mitigate the impact of random MAC addresses.

In the Private Group pre-shared Key SSID, you can see that I have created three profiles, such as Doctor, IT, and Finance, with different pre-shared keys and Access role profiles.

For example,

The device uses a pre-shared key “doctordept” and is associated with SSID PPSK, which will fall in VLAN 14

The device uses a pre-shared key “financedept” and is associated with SSID PPSK, which will fall in VLAN 11

Pros:

1)      Wireless Roaming is faster from AP1 to AP2 or vice-versa, and no dependency on the wired network

2)      No Dependency on the Random MAC address feature of the user devices.

Cons:

1)      Pre-shared key (Hashed form of pre-shared key) is stored on the Access points, which was raised as a concern for specific use case scenarios.

2)      Works only with WPA2

Option 3: Dynamic Group Pre-shared key (Available in OVC 10.5.1 / OV 4.9.R03)

In the Dynamic Group Pre-shared key, it combines the advantages of both Device-specific Pre-shared Key and Private Group Pre-Shared Key, and the flow of the packets is similar to MPSK SSID.

You can configure different pre-shared keys and their associated roles in the RADIUS server, and they are stored in OV2500, not on the AP.

When the user connects for the first time, the AP forwards the pre-shared key information to the RADIUS server, and the RADIUS server verifies if the pre-shared key is in the Dynamic Private Group PSK database; if found, the role is assigned accordingly.

No MAC authentication is performed the first time the user device connects to the SSID, and pre-shared key validation occurs at the RADIUS server.

For example,

Device A (e2:72:0d:c3:31:b8) uses a pre-shared key, “doctordept,” and is associated with SSID DGPSK1, which falls within VLAN 14. The MAC address is added to the Dynamic Private Group MAC.

Device B (1e:9e:ca:38:66:10) uses a pre-shared key “it123456” and is associated with SSID DGPSK1, which will fall in VLAN 12, and the MAC address is added to the Dynamic Private Group MAC

If the user forgets/removes the SSID profile from the device and attempts to connect to the SSID using a different pre-shared key, the device will be unable to connect and gain access to the network.

For example,

Device B (1e:9e:ca:38:66:10) forgets/removes the SSID profile DGPSK1from the device and tries to connect to the SSID using the pre-shared key “doctordept”; the radius will reject the device as the MAC address is tied to a different SSID. pre-shared key

Note: The Device MAC address is associated with the pre-shared key until the Dynamic Private Group MAC Persistency time default is 1 day, and the Maximum is 365 days.

Pros:

1)      You do not need to worry about the Random MAC address feature, as there is no MAC authentication during first-time association.

2)      Pre-shared keys are not stored in Access points.

3)      Roaming will be seamless if the user device supports the 802.11r /FT standard for PSK SSID, else it depends on the latency of the wired network

Cons:

1)      Works only with WPA2

2)      Roaming will be seamless if the user device supports the 802.11r /FT standard for PSK SSID; otherwise, it depends on the latency of the wired network.