Private PSK (PPSK) feature on hostapd

• The PPSK feature in hostapd gives the user the choice of providing the PPSKs using a file or using RADIUS.
• Having the option of supplying the PPSKs in a text file allows for quick and simplified deployments.

• We assume you are familiar with the UCI system in OpenWrt.
• Configure a SSID with WPA2 pre shared key.

config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   option key '12345678'
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'

• Next we will replace the key which is a single value (12345678) with a file with multiple keys.

config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   #option key '12345678'
   option wpa_psk_file /etc/psk.list
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'

• Here is the contents of the /etc/psk.list file

# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use.
00:00:00:00:00:00 highwaystar
00:00:00:00:00:00 blacknight
00:00:00:00:00:00 smokeonthewater
00:00:00:00:00:00 picturesofhome
00:00:00:00:00:00 childintime

• Restart the WiFi network

wifi down
wifi up

• hostapd will now go through the list in the PSK file and see if it can find a match when someone tries to connect to the SSID.

• The first section covered a very basic PPSK implementation.
• This section will look at more advanced options including MAC and VLAN association with certain keys.
• You can also visit this forum discussion which is where most of the info comes from.

• If we look at the comments of the sample psk.list file we see the following

# List of WPA PSKs. Each line, except for empty lines and lines starting
# with #, must contain a MAC address and PSK separated with a space.
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use. PSK can be configured as an ASCII passphrase of 8..63
# characters or as a 256-bit hex PSK (64 hex digits).
00:11:22:33:44:55 paperplane

• The 256-bit hex value alternative is a hash that includes the specific SSID a user will be connecting to.
• You can generate the value using this online JavaScript based utility from WireShark.(https://www.wireshark.org/tools/wpa-psk.html)
• If you specify a specific MAC Address for a certain device, keep the following in mind.
  • The MAC Address is the MAC Address of the WiFi radio trying to connect to the SSID and NOT the MAC Address of the Ethernet interface of a laptop for instance.
  • If your phone has WiFi that supports both 2.4G and 5G, the device typically have a radio for each frequency band and then also a MAC Address for each radio.
  • Also remember there is a recent feature on Android and Apple phones of MAC randomisation which might also cause the MAC Address to change.

• If we look at the comments of the sample psk.list file also we see the following

# An optional VLAN ID can be specified by prefixing the line with
# vlanid=<VLAN ID>.
vlanid=3 00:00:00:00:00:00 blueforyou
vlanid=4 00:00:00:00:00:00 piledriver

• With the hostapd VLAN tagging feature there are a few extra steps we need to do for it to work as intended.

• This section will describe how to implement RADIUS based PPSK on OpenWrt.
• The key part to enable RADIUS based PPSK lies in the following setting in hostapd.conf.

# Optionally, WPA passphrase can be received from RADIUS authentication server
# This requires macaddr_acl to be set to 2 (RADIUS) for wpa_psk_radius values
# 1 and 2.
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not include
#	Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
#	Tunnel-Password
# 3 = ask RADIUS server during 4-way handshake if there is no locally
#	configured PSK/passphrase for the STA
#
# The Tunnel-Password attribute in Access-Accept can contain either the
# 8..63 character ASCII passphrase or a 64 hex character encoding of the PSK.
#
#wpa_psk_radius=0

• Option 3 has been recently added and this option is of great help.
• OpenWrt generates the hostapd config files with the help of the /lib/netifd/hostapd.sh script.
• This script in turn reads and interprets the /etc/config/wireless file to get the information needed to formulate the hostapd config files.
• The hostapd.sh script currently set the wpa_psk_radius value to 2 when option ppsk '1' is set in /etc/config/wireless.
• A better option would be to set it to 3.
• We can look for this section in hostapd.sh

if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
	json_get_vars auth_secret auth_port
	set_default auth_port 1812
	json_for_each_item append_auth_server auth_server
	append bss_conf "macaddr_acl=2" "$N"
	append bss_conf "wpa_psk_radius=2" "$N"
elif [ ${#key} -eq 64 ]; then

• And change it to:

if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
	json_get_vars auth_secret auth_port
	set_default auth_port 1812
	json_for_each_item append_auth_server auth_server
	append bss_conf "macaddr_acl=2" "$N"
	append bss_conf "wpa_psk_radius=3" "$N"
elif [ ${#key} -eq 64 ]; then

• We will look at the reason why in the next section.

• When wpa_psk_radius=2 or wpa_psk_radius=3 the first request from hostapd to the RADIUS server will look like this:

(9) Received Access-Request Id 48 from 44.88.212.194:47297 to 164.160.89.129:1812 length 160
(9)   User-Name = "ae0cd4e2c5ab"
(9)   User-Password = "ae0cd4e2c5ab"
(9)   NAS-Identifier = "m_hosta_51_74"
(9)   Called-Station-Id = "64-64-4A-D1-2D-69:PPSK-1"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Calling-Station-Id = "AE-0C-D4-E2-C5-AB"
(9)   Connect-Info = "CONNECT 11Mbps 802.11b"
(9)   Message-Authenticator = 0xeefd284dc6cf79df258e03b84791c2b8

• RADIUS will then typically reply with an Acces