Private PSK (PPSK) feature on hostapd

• The PPSK feature in hostapd gives the user the choice of providing the PPSKs using a file or using RADIUS.
• Having the option of supplying the PPSKs in a text file allows for quick and simplified deployments.

• We assume you are familiar with the UCI system in OpenWrt.
• Configure a SSID with WPA2 pre shared key.

config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   option key '12345678'
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'

• Next we will replace the key which is a single value (12345678) with a file with multiple keys.

config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   #option key '12345678'
   option wpa_psk_file /etc/psk.list
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'

• Here is the contents of the /etc/psk.list file

# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use.
00:00:00:00:00:00 highwaystar
00:00:00:00:00:00 blacknight
00:00:00:00:00:00 smokeonthewater
00:00:00:00:00:00 picturesofhome
00:00:00:00:00:00 childintime

• Restart the WiFi network

wifi down
wifi up

• hostapd will now go through the list in the PSK file and see if it can find a match when someone tries to connect to the SSID.

• The first section covered a very basic PPSK implementation.
• This section will look at more advanced options including MAC and VLAN association with certain keys.
• You can also visit this forum discussion which is where most of the info comes from.

• If we look at the comments of the sample psk.list file we see the following

# List of WPA PSKs. Each line, except for empty lines and lines starting
# with #, must contain a MAC address and PSK separated with a space.
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use. PSK can be configured as an ASCII passphrase of 8..63
# characters or as a 256-bit hex PSK (64 hex digits).
00:11:22:33:44:55 paperplane

• The 256-bit hex value alternative is a hash that includes the specific SSID a user will be connecting to.
• You can generate the value using this online JavaScript based utility from WireShark.(https://www.wireshark.org/tools/wpa-psk.html)
• If you specify a specific MAC Address for s certain device, keep the following in mind.
  • The MAC Address is the MAC Address of the WiFi radio trying to connect to the SSID and NOT the MAC Address of the Ethernet interface of a laptop for instance.
  • If your phone has WiFi that supports both 2.4G and 5G, the device typically have a radio for each frequency band and then also a MAC Address for each radio.
  • Also remember there is a recent feature on Android and Apple phones of MAC randomisation which might also cause the MAC Address to change.

• If we look at the comments of the sample psk.list file also we see the following

# An optional VLAN ID can be specified by prefixing the line with
# vlanid=<VLAN ID>.
vlanid=3 00:00:00:00:00:00 blueforyou
vlanid=4 00:00:00:00:00:00 piledriver

• With the VLAN tagging feature off hostapd there is a few extra steps we need to do for it to work as intended.

——