Most wireless vendors have a solution around using unique PSKs for client devices. Recently I had a chance to do a little deep dive into the solution provided by Mist. I am going to look at the following features:
- Creating an SSID ready for MPSKs
- Ability to create MPSK
- Ability to assign VLANs (this is a really cool feature)
- Ability to import/migrate from other vendors
Creating an SSID:
Creating an SSID is really straight forward with minor changes under the Security section. Choose –> WPA-2/PSK with multiple passphrases; choose configure as a personal WLAN if you want to secure it even further.
Next under the VLAN section; choose –> List and type the VLANs you will be assigning. That is it. You are done creating an SSID for MPSK.
Creating an MPSK:
Under Organization and Pre-Sharedkey is where MPSKs can be created:
There are multiple ways this can be accomplished:
- Add Key – Will allow you to add a single key
- Import – Will allow you to import a csv file
- APIs – Utilize APIs to create keys.
Add Key:
I am able to add keys one by one as shown below. Each can be assigned to multiple users and/or a single user. Works great for IoT devices. One of the coolest feature in here I like is the ability to assign the VLAN based on the passphrase and key for the same SSID. NOTE: RADIUS can be utilized for these keys but in my case I am utilizing local keys with no RADIUS server.
Import Keys:
Importing keys is great when there is a need to add multiple keys. I would not want to add 100’s of keys one by one. Instead I can simply utilize a CSV file to import the keys. This is also useful when you are looking to migrate from another vendor and their legacy solution. Note that it actually allows a sample file download:
I simply created two keys using the CSV file. All I had to do was to drag and drop them in the Mist UI. NOTE: If there is an error Mist UI will tell you what is wrong. In my case I did not name the keys long enough, minimum is five.
Final result after importing the file:
Now I have a single SSID with two MPSKs assigned to two different VLANs. Let’s test out the connectivity. Here is my VLAN mapping:
- SSID: iot_stuff
- VLAN20 – 192.168.20.0/24
- VLAN30 – 192.168.30.0/24
In part two of this series I will continue with some deep dive and additional tips.
Does it need an additional subscription for the following feature to show up?
i.e. under org > pre shared keys
If yes what is the SKU and price?
As far as I know you do not need any special subscription for this feature. You can configure it using APIs, but if you want to do it from the UI you have to contact support and have them enable that feature.
How do you use the RADIUS feature for the PSKs? Is it a VSA?
I haven’t had a chance to test this out yet. As soon as I get some time I will. Here is a related link if you want to give it a shot. https://www.mist.com/documentation/mist-radius-attributes/
The only PSK options I have are in the Site not org. I cant seem to bulk import here either. We also can’t set max usage. As id like to be able to set up say 5 devices per PSK
What firmware are you running?
Sorry for the late response, you may have the answer already. But site level should allow you to import as well. Looking at the site level mpsk I see an import option. For the Org level you may have to just contact Mist support to add a tag for you. I got 0.10.