Unifi APs PPSK function
-
New option to enable PPSK in Unifi APs, pretty slick.
Who is using ?I have been testing for a few days and it has been rock solid.
Two VLAN only networks and users get into different VLANs by typing different passwords. -
@mcury Yeah I saw that was enabled a while back, but have not yet had time to play with it..
I will get around to it soon enough - does it work with wpa2?
I would be nice to move to just 2 ssids. 1 for my eap-tls auth for trusted devices, and then could use just one ssid for my other devices like IOT and Roku and then guests.. This would allow for much easier segmentation wile keeping the number of ssids down. More ssids is bad for overall performance.
I have run into stuff that doesn't support wpa3, would love to just run pure wpa3 either psk or better yet ppsk. And then my wpa3 enterprise for my actual trusted devices that use eap-tls to auth.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in Unifi APs PPSK function:
I will get around to it soon enough - does it work with wpa2?
Yeap, I turned two VLAN only networks to one SSID only, but you need the latest EA controller 7.5.187 and the latest AP firmware 6.6.38 for that to work properly.
@johnpoz said in Unifi APs PPSK function:
I would be nice to move to just 2 ssids. 1 for my eap-tls auth for trusted devices, and then could use just one ssid for my other devices like IOT and Roku and then guests.. This would allow for much easier segmentation wile keeping the number of ssids down. More ssids is bad for overall performance.
I have run into stuff that doesn't support wpa3, would love to just run pure wpa3 either psk or better yet ppsk. And then my wpa3 enterprise for my actual trusted devices that use eap-tls to auth.
It would be nice indeed but I have so much old stuff here, printers from 10 years ago, 1st release chromecasts, I can't use WPA3 or eap-tls..
If I want, I could put them in a separate WIFI and use avahi, but I think that defeats the purpose of VLANs entirely.I'm using just one WIFI network now, for WIFI VLAN and GUEST VLAN, make things simpler..
-
@mcury said in Unifi APs PPSK function:
Yeap, I turned two VLAN only networks to one SSID only, but you need the latest EA controller 7.5.187 and the latest AP firmware 6.6.38 for that to work properly.
Not a problem ;) I always run whatever the latest beta controller and firmware for my APs ;)
separate WIFI and use avahi, but I think that defeats the purpose of VLANs entirely.
Completely agree there - not a fan of breaking the L2 boundary..
-
@johnpoz said in Unifi APs PPSK function:
Not a problem ;) I always run whatever the latest beta controller and firmware for my APs ;)
Same here, always the latest :)
-
@johnpoz said in Unifi APs PPSK function:
@mcury Yeah I saw that was enabled a while back, but have not yet had time to play with it..
I will get around to it soon enough - does it work with wpa2?
I would be nice to move to just 2 ssids. 1 for my eap-tls auth for trusted devices, and then could use just one ssid for my other devices like IOT and Roku and then guests.. This would allow for much easier segmentation wile keeping the number of ssids down. More ssids is bad for overall performance.
I have run into stuff that doesn't support wpa3, would love to just run pure wpa3 either psk or better yet ppsk. And then my wpa3 enterprise for my actual trusted devices that use eap-tls to auth.
How would your Apple devices cope with this, it syncs all the SSID & password info over to all the devices?
I use my Apple Watch to unlock my Mac, for this to happen I have to enable Wi-Fi, whenever I have to pop onto my IOT network on my iPhone to add / delete some Homekit equipment it adds the IOT network and my Mac auto joins the IOT network.
I’ve had to resort to blocking my Mac MAC address on my Wi-Fi kit, it’s a bit of a pain TBH.
-
@NogBadTheBad I do believe ppsk is tied to mac or can be, so this should help prevent sharing to be honest.. One of the reasons its a more secure option..
If device A with mac abc auths with ppsk 123, and then device B comes in with mac xyz I do not believe it can use that same ppsk..
But again I have not played with it yet, maybe @mcury could answer that specific question.
I do believe tied to mac option is part of the new features with ppsk, but not sure if unifi or how they have implemented it?
edit: I just took a really quick look at the unifi controller for adding ppsk, and while they allow to set a different password for different network..
So I am not sure if or how they have implemented ppsk ability to be tied to specific mac address. But I am pretty sure that is one of the features of ppsk.. So its possible with unifi implementation that have not allowed for that as of yet? While assigning to a specific network/vlan is nice feature that can be implemented with ppsk. One of its stronger features was the ability to assign specific psk to each specific device..
Like you can do with enterprise, via radius.. So billy has a specific password.. So if that is compromised I can just change billy's password or disable billys account without effect on other users using the wifi. Since iot sort of devices don't support enterprise forms of wpa.. PPSK was suppose to allow for such granularity.. Where there mac address was their "username" if you will.
Would be a shame if unifi only implemented the ability to change networks depending on password, and not the mac address ability. But I guess you could use it along with mac address filtering to provide such prevention of sharing?
Unifi has a bad habit of putting different settings in different locations, and moving them about some times.. Especially with their legacy ui and newer ui.. when setting up a ppsk I would think a easy way would to allow for creation of a psk under the ppsk ssid.. Where it has no mac address control and just puts you on network X.. But also have the ability to create one that allows the first mac to auth and puts them on vlan X or Y, etc. but then no other new macs may use that psk. Or the ability to limit to mac when setting the psk.
Unifi just recently enabled any sort of ppsk, so its possible it is not yet complete. But ppsk has been around for a few years in other wifi systems.
-
@johnpoz said in Unifi APs PPSK function:
If device A with mac abc auths with ppsk 123, and then device B comes in with mac xyz I do not believe it can use that same ppsk..
I haven't found any option to tie MACs, almost sure that Unifi implementation is only by password/SSIDs.
@johnpoz said in Unifi APs PPSK function:
I do believe tied to mac option is part of the new features with ppsk, but not sure if unifi or how they have implemented it?
Seems to me that the only way is to segregate networks using different passwords.
@johnpoz said in Unifi APs PPSK function:
Would be a shame if unifi only implemented the ability to change networks depending on password, and not the mac address ability. But I guess you could use it along with mac address filtering to provide such prevention of sharing?
If you block a MAC address, you will block for both networks I believe..
There isn't a field to specify which network that MAC address will be blocked, so, multiple networks, you would be blocking that MAC for both of them.. -
@mcury yeah see my edits maybe you missed my later ones? From my 30 second look at the ppsk settings in unifi controller - it seems to be only a partial implementation of all the features of ppsk.
I was under the impression when the ppsk stuff first started showing up that one of its features was the ability to tie to mac address, to prevent sharing of the psk between devices. I have not looked very deep into it though.
-
@johnpoz said in Unifi APs PPSK function:
But also have the ability to create one that allows the first mac to auth and puts them on vlan X or Y, etc. but then no other new macs may use that psk. Or the ability to limit to mac when setting the psk.
Unifi just recently enabled any sort of ppsk, so its possible it is not yet complete. But ppsk has been around for a few years in other wifi systems.
That would be pretty good indeed.
I think that they are just starting..@johnpoz said in Unifi APs PPSK function:
I was under the impression when the ppsk stuff first started showing up that one of its features was the ability to tie to mac address, to prevent sharing of the psk between devices. I have not looked very deep into it though.
Now, today, the only way of doing that in Unifi APs is with Radius and SQL (simultaneous-use).
-
@mcury so a quick google shows that omada (unifi clone/alternative) has the ability to tie ppsk to radius and also has the ability to set a mac on your ppsk.
https://www.tp-link.com/us/support/faq/3386/
From quick look at that article seems omada is ahead of unifi in implementation of ppsk for sure.
-
@johnpoz said in Unifi APs PPSK function:
From quick look at that article seems omada is ahead of unifi in implementation of ppsk for sure.
Hmm, that is interesting. I'm not familiar with Omada APs but now they are in my radar to check..
-
@mcury I took a look at their controller software a while back.. Some of the things I dislike about unifi they fixed a long time ago. For starters the ability to use your own ssl cert is much easier than the nonsense it is to change the ssl cert in unifi.
Also they support tls 1.3, while unifi is still using 1.2..
You can install it just like the unifi controller software and take a look without having to actually have omada AP..
If I was in the market for APs right now - I would for sure take a look at them..
-
@johnpoz said in Unifi APs PPSK function:
You can install it just like the unifi controller software and take a look without having to actually have omada AP..
If I was in the market for APs right now - I would for sure take a look at them..
I'm looking for a new AP right now, I'll definitely look at them.
Pretty nice, and they are cheaper than the Unifi ones.I'll take a look at their controller and options today, Saturday, just found something to do :)
-
@mcury said in Unifi APs PPSK function:
and they are cheaper than the Unifi ones.
There is that too.. A few months back when changing the ssl on my unifi controller.. I was like WTF have they not made this easier yet, and why is it still using tls 1.2, and I looked for a way to use tls 1.3..
I was like I wonder how omada does it.. Clicky Clicky install new ssl cert, and look at that out of the box using tls 1.3..
Another thing that blows my skirt up is their APs are using a very old version of ssh in dropbear
Hallway-BZ.6.6.38# ssh -V Dropbear v2020.81 Hallway-BZ.6.6.38#2022.83 is current..
Not sure what omada APs use - but come on unifi, you come out with new firmware for your APs all the time.. Update the basics..
The tls 1.3 thing really sort of ticks me off, I mean its been around since 2018, why does the controller not default to use it, and ok not default but there seems to be no way to use it.
-
@johnpoz said in Unifi APs PPSK function:
The tls 1.3 thing really sort of ticks me off, I mean its been around since 2018, why does the controller not default to use it, and ok not default but there seems to be no way to use it.
It is not only that, mongodb version is EOL too.
They have the hardware but their software side could be improved, and by a lot.I recently checked their USW Enterprise PoE switch for the L3 features, and I found this same problem, software side is not there yet..
Edit: But the switch is so good, I mean, 8 2.5Gbps ports with PoE+, two 10Gbps SFP+..
If you get it for L2 only, it will be one hell of a switch to use.. -
@mcury said in Unifi APs PPSK function:
mongodb version is EOL too.
I thought I manually updated mine at some point.. Let me check real quick..
user@NewUC:~$ mongod --version db version v3.6.8 git version: 8e540c0b6db93ce994cc548f000900bdc740f80a OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020 allocator: tcmalloc modules: none build environment: distarch: x86_64 target_arch: x86_64 user@NewUC:~$Yeah that is way EOL ;)
-
@johnpoz said in Unifi APs PPSK function:
Yeah that is way EOL ;)
They have the budget to work on that side, but they don't..
Really don't know why.Perhaps that now Omada is taking the edge, the market will push them to work on that front, lets see.
-
@mcury so quick look at what version of mongodb for omada and it says v4, which I would hope means you could be running 4.4 which is good until early 2024 at least ;)
-
@johnpoz said in Unifi APs PPSK function:
it says v4, which I would hope means you could be running 4.4 which is good until early 2024 at least ;)
One more reason to go for Omada APs..
Today I'll check their controller and their APs line, perhaps take a look at their switches too.
I need a better coverage here in my house and since my house is my lab, that will give more options to use in some customers, which is always good.
