Most wireless vendors have a solution around using unique PSKs for client devices. Recently I had a chance to do a little deep dive into the solution provided by Mist. I am going to look at the following features:
- Creating an SSID ready for MPSKs
- Ability to create MPSK
- Ability to assign VLANs (this is a really cool feature)
- Ability to import/migrate from other vendors
Creating an SSID:
Creating an SSID is really straight forward with minor changes under the Security section. Choose –> WPA-2/PSK with multiple passphrases; choose configure as a personal WLAN if you want to secure it even further.
Next under the VLAN section; choose –> List and type the VLANs you will be assigning. That is it. You are done creating an SSID for MPSK.
Creating an MPSK:
Under Organization and Pre-Sharedkey is where MPSKs can be created:
There are multiple ways this can be accomplished:
- Add Key – Will allow you to add a single key
- Import – Will allow you to import a csv file
- APIs – Utilize APIs to create keys.
I am able to add keys one by one as shown below. Each can be assigned to multiple users and/or a single user. Works great for IoT devices. One of the coolest feature in here I like is the ability to assign the VLAN based on the passphrase and key for the same SSID. NOTE: RADIUS can be utilized for these keys but in my case I am utilizing local keys with no RADIUS server.
Importing keys is great when there is a need to add multiple keys. I would not want to add 100’s of keys one by one. Instead I can simply utilize a CSV file to import the keys. This is also useful when you are looking to migrate from another vendor and their legacy solution. Note that it actually allows a sample file download:
I simply created two keys using the CSV file. All I had to do was to drag and drop them in the Mist UI. NOTE: If there is an error Mist UI will tell you what is wrong. In my case I did not name the keys long enough, minimum is five.
Final result after importing the file:
Now I have a single SSID with two MPSKs assigned to two different VLANs. Let’s test out the connectivity. Here is my VLAN mapping:
- SSID: iot_stuff
- VLAN20 – 192.168.20.0/24
- VLAN30 – 192.168.30.0/24
In part two of this series I will continue with some deep dive and additional tips.