Hi,
this is perfectly possibly. Hostapd sends a RADIUS Access-Request when a
new station tries to connect, and the RADIUS server includes the allowed
PSKs with this station in the Access-Accept reply message using
Tunnel-Password attributes.
So it does not matter whether two STAs have the same PSK or not, and
multiple PSKs per STA are also supported.
Please note that when using WPA3, you need some extra patches:
https://patchwork.ozlabs.org/project/hostap/cover/20210416111825.3895-1-michael-dev@xxxxxxxxxxxxx/
Regards,
M. Braun
Am 28.07.2021 18:35, schrieb Colton Conor:
I am seeing there is an option to use radius for WPA, but I am not
sure if it will allow multiple devices (not limited by MAC address) to
use the same key via radius? This would be similar to using the
Special MAC address 00:00:00:00:00:00 can be used to configure PSKs
that anyone can use while using the hostapd.wpa_psk method. Does
anyone know if its possible to do this by radius? I don't think the
actual passphrase is passed.
# Optionally, WPA passphrase can be received from RADIUS authentication
server
# This requires macaddr_acl to be set to 2 (RADIUS)
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not
include
# Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
# Tunnel-Password
#wpa_psk_radius=0
On Tue, Jul 27, 2021 at 11:21 AM Colton Conor <colton.conor@xxxxxxxxx>
wrote:
Michał,
Thanks, this makes more sense.
I basically meant if you have 100 OpenWRT AP's running at an
enterprise, how would you in mass edit the psk file, and reload
accordingly across all? Most commercial vendors have a controller that
devices would check into to facilitate this task, or use a radius
server. Can radius be used with Multi-PSK?
On Tue, Jul 27, 2021 at 10:08 AM Michał Kazior <kazikcz@xxxxxxxxx>
wrote:
>
> Hi Conor,
>
> keyid= can be used to identify which passphrase a client used. This in
> turn can be used to apply selective firewalling rules if so desired.
> vlan= filtering/assignment isn't necessarily what you want, or what
> you can do, depending on your system and requirements.
>
> Editing the psk file itself does not do anything. If you want to
> reload it you can run `hostapd_cli -i wlanX reload_wpa_psk`. It
> re-reads and re-applies psk file data only. If a client was connected
> with a passphrase that no longer exists in the psk file, it will be
> disconnected. Otherwise the client will be left connected.
>
> Not sure what you mean by automating it across 100s of APs though.
>
>
> Michal
>
> On Tue, 27 Jul 2021 at 16:40, Colton Conor <colton.conor@xxxxxxxxx> wrote:
> >
> > I am trying to figure out the proper way to have multiple PSKs on a
> > single SSID. Each passphrase will be used by multiple users, and each
> > passphrase will be tied to a VLAN.
> >
> > Reading https://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk, it
> > seems the proper way to do this would be:
> >
> > vlanid=10 00:00:00:00:00:00 passphrase1
> > vlanid=11 00:00:00:00:00:00 passphrase2
> >
> > My question is:
> > What is the keyid= used for typically?
> > Is there a way to add/remove keys using radius instead of manually
> > editing the hostapd.wpa_psk each time?
> > Does editing the hostapd.wpa_psk kick existing users offline if you
> > have to reload / save the file?
> > How would you automate this across 100's of APs at a property?
> >
> > _______________________________________________
> > Hostap mailing list
> > Hostap@xxxxxxxxxxxxxxxxxxx
> > http://lists.infradead.org/mailman/listinfo/hostap
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap