Separate Networks By Password With Aruba (PPSK/MPSK)

Overview

I was looking for devices that supported Private PreShared Keys (PPSK) which allow a single access point to be broadcasted and depending on the preshared key used i.e password for the WiFi then it will assign various privileges.

At the same time I was having issues with Unifi (which turns out to not be a Ubiquiti problem) so I tried out Aruba’s Instant access points.

Multiple PreShared Keys (MPSK)

HPE’s name for PPSK is MPSK. The instant unfortunately does not support local MPSK via the web configurator and requires commandline.

Do not confuse Instant with Instant On because they are not the same product line and as of writing, Instant On does not support MPSK.

Also a lot of write ups seem to use Central to configure MPSK which is a cloud paid for management software. That does provide a user interface to create MPSK. What I wanted to do was use the virtual local controller to do it so that way it does not cost any money and still get this awesome feature.

Once MPSK is setup, you can make some of the changes in the web interface.

Pre-requisites

You will require a SSH client to access the commandline.

It will use the same admin username and password to log in.

I’m not an networking engineer and it seems like a lot of articles (see below for examples) assume a prior knowledge to the commandline hieracy/context to issue commands. Hopefully this will help others.

I am using ArubaOS (AOS) 8.10.

The device was setup and tested working with a separate wireless network. The one I want to use PPSK has not been created yet.

Roles

I will be using roles to associate to each PPSK. That way, each client that connects with their respective password will use that role and all the associated access rules.

I will use the following example throughout.

1. Wireless network name (SSID): myWirelessNetwork
This is the name your devices will see and will connect to.
2. Two roles and therefore 3 passwords:
2.1. The first called “iot” for my Internet of Things.
2.2. The second called “myfamily” for family members
2.3 The third called “guests” for anyone else.

Repeat the following steps for each role changing the relevant things specific to the role. Remember, this is the role and not the password or wireless network name.
1. Log into the virtual controller.
2. Go to Configuration > Security page and the Roles section.

3. Press the +(plus) button and enter the role name. Press OK when you’re done.
4. Add all the renaming roles with a suitable name.

At this point, I would add the VLANs for each role as well.
1. Select the role from the list.
2. Press the +(plus) button in the Access Rules for xx where xx is the role name. The New Rule window will pop up.
3. From the Type drop down, select VLAN assignment.

4. Enter the VLAN ID and press OK.

5. Repeat for each role if necessary.

Setup MPSK

Using an SSH client, SSH to the access point / controller’s IP address and enter the admin username and password. For example if the IP was 192.168.1.22:
ssh 192.168.1.22 -u admin -p

Enter configuration mode:
config

Create a MPSK network. The name of the network will appear in the web interface under Configuration > Networks. My example, I will call this mpsk.
wlan mpsk-local mpsk

Next, create the preshared keys profiles. These profiles will define the password to use when connecting and tying that password to a role. Profiles also need a name. The command is:
mpsk-local-passphrase [mpsk profile name] “[password]” “[role name]”

You should keep the quotes but replace everything inside the brackets including the brackets. For iot, I will create a MPSK profile called iot-mpsk-profile with myiotpassword as the password tied to the role iot that was created earlier.
mpsk-local-passphrase iot-mpsk-profile "myiotpassword" "iot"
Press enter to send the command. Now for the rest of the MPSK profiles:
mpsk-local-passphrase myfamily-mpsk-profile "mymyfamilypassowrd" "myfamily"
mpsk-local-passphrase guests-mpsk-profile "myguestpassowrd" "guests"

Exit the mpsk-local context by sending the command:
exit

Next, create the wireless network. This is the name that will be seen by devices. In this example it will be called myWirelessNetwork:
wlan ssid-profile myWirelessNetwork

Set the wireless mode to use MPSK (instead of things like WPA3).
opmode mpsk-local

Now it’s set to use local MPSK mode, the next command will tell it what MPSK network to use which is mpsk in my example above (wlan mpsk-local mpsk):
mpsk-local mpsk

Exit out of the new wireless LAN context:
exit

Set the access rules for the mpsk network:
wlan access-rule mpsk

Set it to allow all traffic for now. Further changes can be done in the web interface:
rule any any match any any any permit

Exit out of the wireless network access context:
exit

Exit out of configuration mode:
exit

If all has gone well, save and apply the changes:
commit apply

Full Command List

config
wlan mpsk-local mpsk
mpsk-local-passphrase iot-mpsk-profile "myiotpassword" "iot"
mpsk-local-passphrase myfamily-mpsk-profile "mymyfamilypassowrd" "myfamily"
mpsk-local-passphrase guests-mpsk-profile "myguestpassowrd" "guests"
exit
wlan ssid-profile myWirelessNetwork
opmode mpsk-local
exit
mpsk-local mpsk
wlan access-rule mpsk
rule any any match any any any permit
exit
exit
commit apply
exit

Close the connection:
exit

Test

The network should be setup and broadcasting the wireless network now. You can confirm this by going to Configuration > Networks and it should appear in the list. Also check those commands above appear in the raw configuration Maintenance > Configuration.

Use a device to connect to the network and check the different passwords work and if you have set them, the VLAN has been applied to the data.

Additional MPSK

To add more MPSK profiles, it halves the setup. Create a role as per above. Log back in as per above via SSH.

Enter configuration mode:
config

Go to the wireless configuration “mpsk”
wlan mpsk-local mpsk

Add the new passwork and profile
mpsk-local-passphrase work-mpsk-profile "password" "work"

Save and exit:
exit
exit
commit apply
exit

Full list of commands
config
wlan mpsk-local mpsk
mpsk-local-passphrase work-mpsk-profile "password" "work"
exit
exit
commit apply
exit

Remove A MPSK

SSH into the device.

Enter configuration mode:
config

Go to the wireless configuration “mpsk”
wlan mpsk-local mpsk

Remove the MPSK:
no mpsk-local-passphrase work-mpsk-profile

Save and exit:
exit
exit
commit apply
exit

Don’t forget to remove the role from UI if it’s not used anymore.

Full list of commands
config
wlan mpsk-local mpsk
no mpsk-local-passphrase work-mpsk-profile
exit
exit
commit apply
exit

Summary

This is a really cool feature that is not as secure as WPA enterprise but a lot slicker that plain old pre-shared keys. You reduce the number of wireless networks being broadcasted and use the roles to segregate the network.

The trade off is people (at least on Android) can still share the pre shared key and apply the same role. I wish this feature is available in the web interface on Aruba Instant. It looks like it available if you had Aruba Central (which I don’t have).

Aruba Central with IAP 8.7.1 – MPSK Local with role assignment

Mehrere PSKs für ein einziges Gäste-WLAN: MPSK mit Aruba Instant

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Networking and tagged aruba, hewlett package enterprise, hewlett packard, hpe, instant, iot, MPSK, PPSK, Security, Wifi, Wireless, WLAN. Bookmark the permalink.

This site uses Akismet to reduce spam. Learn how your comment data is processed.