Multiple unique PSKs to single WPA-Personal SSID?

mikebutash

I purchased a Zyxel AP for testing a replacement for my own and potentially other customer devices, and seemed to do most things I needed, but one large one it seems it actually cannot…

I need/expected the ability to have multiple PSK's in use with WPA-Personal modes, usually referred to as Private-PSK (Extreme), Group-PSK(Arista), or Identity-PSK (Cisco/Meraki). Typically these all allow a list of Unique PSK with some description such as user or role, allowing removal/change of each without global singular password updates across a single one. Quite ideal without the radius mess for smaller businesses or larger homes.

Reading your user guide before purchase, it seemed I could do this through multiple security profiles, but I realized after getting and working with configuration that only applied to separate BSSID profiles binding to the radio slots in 1:1 relations, which works, but far from ideal. Plus I would in theory have multiple (b)ssid's already, each with multiple separate identity psk's ideally for well more than 8 PSK/security-profiles.

I did see some reference to ddpsk, but can find no documentation on what this is or if this might resemble said identity/private PSK feature (or much of anything related to cli features). Is this at all possible, and if not, is it feasible to make a feature request?

Individual/unique PSK's seem a no-brainer feature most ap's should integrate, enterprise or not to keep hooligans out of your network. Most take it further that you can then apply access-lists, content filters, dynamic vlans, etc per identity/group role with this too, which would be the evolution, but I'd be happy for just a line-returned list of accepted PSK's now too, even hostapd under linux supports this.

Zyxel_Judy

Hi there,

Dear Customer,

We want to extend our gratitude to you for showing interest in Zyxel products.

DDPSK is a part of our Nebula Pro Pack feature set. In case you’d like to have the best experience and understanding of our feature, please go to Nebula and active the 30-day trial Nebula Pro Pack license. The path as Nebula > License & Inventory > Trial.

However, we must inform you that DDPSK is not supported in standalone mode. Our Nebula Pro Pack features, including DDPSK, require the cloud-managed network environment provided by Nebula Control Center to function effectively.

Zyxel_Judy

HI @mikebutash ,

We offer the dynamic password feature for each client using DPPSK (Dynamic Personal Pre-Shared Key). For more information about the benefits and configuration of this feature, please refer to this FAQ.

mikebutash

Thank you very much @Zyxel_Judy, that doc explains this with your nebula cloud setup, probably why I missed it as my intention was NOT to use cloud integration, rather simple stand-alone mode only. Is dppsk only available in the cloud as a feature? Obviously the hardware/os is capable, is there any way to leverage this at all even more manually myself?

Fishing around the CLI I saw dppsk present somewhat, but no CLI reference guides to really explain relations I could fine on your site. Manual digging is a bit arduous for a noob to your cli dialect.

Might you have handy to share any cli and api reference guide links for anything current-ish for 6.55, ideally dppsk as a feature? Standalone mode preferred obviously, or don't imagine it looks much different with Nebula enabled. Checking these forums, I don't seem to be the only one that can't find a proper CLI reference guide.

Thanks again!

Zyxel_Judy

Hi @mikebutash ,

There is a requirement to establish a password database for DPPSK. We provide users with the option to create all the information on the Cloud through Nebula Control Center in order to achieve DPPSK. DPPSK is not supported in stand-alone mode.

mikebutash

I realize it would require some sort of external database presuming multiple ap's, what I'm stating is that I would accept the responsibility to maintain this myself, doing so via anisble or some other automation for my own list. I use Arista today with their cloud, and really want a more standalone solution to keep things internal entirely, which with your price point is what interested me in Zyxel.

The commands seem to be here, though undocumented:

Router(config-wlan-dppsk default)# dppsk 1  
<keyhash>

I presume nebula is dropping something like netconf on it in the form of 1-2048 numbered key hashes, which I'd gladly do myself.

Since the cli/os is largely undocumented, I'd had to tinker around inside your firmware to explore how it works, finding some info about the dppsk yang model "Nebula CC will calculate PMK from passphrase and deliver to AP", but not necessary what hashing mechanism it wants (yet) or how that is set. It would be nice if it were simply documented.

I am only wanting to leverage features it is capable of to begin with. I saw enough from the firmware it's mostly openwrt underneath, which talking to their devs know is capable of handling this natively with even a flat file list if it were just vanilla openwrt.

Zyxel_Judy

Hi there,

Dear Customer,

We want to extend our gratitude to you for showing interest in Zyxel products.

DDPSK is a part of our Nebula Pro Pack feature set. In case you’d like to have the best experience and understanding of our feature, please go to Nebula and active the 30-day trial Nebula Pro Pack license. The path as Nebula > License & Inventory > Trial.

However, we must inform you that DDPSK is not supported in standalone mode. Our Nebula Pro Pack features, including DDPSK, require the cloud-managed network environment provided by Nebula Control Center to function effectively.

mikebutash

Thank you Judy, while unfortunately not a desired answer, I understand. Here's to hope for a vanilla openwrt release for the hardware at least eventually!