This little-known WiFi feature is AWESOME! Multiple VLANs on a single SSID - Ruckus DPSK
Вставка
- Опубліковано 1 чер 2024
- In this video we take a look at a feature that many WiFI access points support but is not particularly well known or widely used - the ability to have a single SSIDs with multiple PSKs/passwords where the device gets dropped onto a different VLAN based on the key used. This goes under many different names depending on the access point vendor - Ruckus call it DPSK, however other vendors call it PPSK, MPSK or IPSK.
Buy the Ruckus R650 on Amazon (Affiliate): geni.us/EMMT3U
www.camerongray.me/
/ camerongray1515
Chapters:
00:00 - Introduction
02:00 - Why would you need it?
03:50 - Why not WPA2-Enterprise?
06:51 - Demonstration
08:22 - DPSK Configuration under Ruckus Unleashed
18:40 - Conclusion
AFFILIATE LINKS NOTICE:
Product links under this video marked “(Affiliate)” are affiliate links where I may receive a small commission on qualifying sales. Affiliate programs that I am a member of include, but are not limited to: Amazon Associates, eBay Partner Network and AliExpress Affiliates.
As an Amazon Associate I earn from qualifying purchases.
Purchasing through these affiliate links will not cost you any more money, however the commission earned significantly helps fund the production of videos on my channel. - Наука та технологія
Buy the Ruckus R650 on Amazon (Affiliate): geni.us/EMMT3U
Ruckus actually managed to get a patent for this “feature” 10+ years ago so everybody else, including UniFi, does the same thing using radius and their own radius/id server to work around the patent. (Usually in an inconvenient way)
another patent ruining everything for 99% of people
I actually do have every light bulb MAC in my DHCP database. Not for security (MAC cloning is trivial), but I like to be able to assign host names and easily identify devices for debugging.
THanks for showing this in UNLEASHED. So many of these videos assume you own an entire ruckus network - firewall, controller, switches, hvac, condiments...
Just tested this with my TP-Link Omada setup. Works exactly the same as shown with the ruckus APs. Never knew this was a thing. Thanks for sharing :)
Looks like this is another reason to get rid of my Ubiquity UniFi network they don’t support this cool feature 😢
They just added it in the latest EA of unifi network yesterday hilariously enough
Unifi does indeed have this feature if you get the recent Early Access controller version
I use a Cisco 9800 WLC which I have configured to use 802.1x and an external RADIUS server which assigns the VLAN for each user. Does anyone know if Cisco supports this method where you use PSK rather than 802.1x? I've been unable to find anything.
Edit: You sort of can, but you need to hard code every single MAC address that will be connecting... That makes it pretty much useless.
First of all, thanks for the video!
I have never heard of that functionality running on top of WPA2 PSK, I run WPA2 Enterprise at home for years with a Radius server on OpenWRT and all aps also run OpenWRT with dynamic vlan enabled. So I built a web interface to manage the users, so I can create, edit, disable, etc. But I have some separate WPA2 PSK networks to "dumb devices" that don't support WPA2 Enterprise. So your method is so much simpler and supported by any client.
I searched around and it doesn't seem to be supported on OpenWRT yet, I wonder when will it be.
Excellent!!!!
Hey man, enjoy watching your videos ! Do you have any content that can help explain gigabit networking. Just moved home and wanna get the most out of my gig speeds with my ISP and want to learn more about bottlenecks etc. Many Thanks 👍
You can do this with the New Alta Labs ap's too, along with different passwords and use same SSID. Pretty sweet too !!
The Alta Labs APs were the first time I heard about this sort of functionality which prompted me to seek out which other brands also offered it. Unfortunately, until Alta Labs release a local controller and demonstrate an ongoing commitment to support it long term, they aren't something I'd be using, as nice as the hardware looks.
Liked the video but, after it is setup, how do you actually use it? Could you show us some practical examples?
you can also do the same thing with AP/Wifi routers that supports OpenWrt, you just need to replace the wpad -basic with a full version of wpad, something like wpad-wolfssl
after that its just a matter of adjusting the wireless configuration file on openwrt via cli. unfortunately it still doesnt have some sort luci interface for it so its not yet configurable via a web admin page of some sort.
the good thing with openwrt how they handle this is it doesnt rely on radius server and it all works on the device it self. in short you dont need a controller for it to work.
I see Ubiquiti have caught up and PPSK is now in release candidate for unifi network... finally!
Question, does dpsk have an ONLY 5ghz feature?
E.g.
only 5ghz for password=abcd
only 2.4ghz for password=1234
I wouldn't my devices to jump to 2.4ghz at all, those are only for iot devices.
Not that I'm aware of, for that you'd need to either create different SSIDs. That said, I've always just stuck to a single SSID for both bands and used the band steering feature (ruckus call it band balancing) to direct 5GHz capable clients to the 5GHz band. This has the benefit that if a client moves too far away for a reliable 5GHz connection it can automatically drop down to 2.4GHz.
@@camerongray1515
That's the very thing I want to avoid. 5ghz at the lowest signal is still much faster than 2.4ghz at its strongest.
Great video, thanks. I was following along with my ruckus 7150 and when i got to WLAN Priority under advanced options, my Enable Dynamic VLAN option was grayed out and i could not set it. Any idea's what i need to do to enable that?
25 Characters would be excellent and very secure, some hotels use a phrase like 'colour bushey sure fab' to give access to the internet but expires after a week.
hi is there any pros and cons when using DPSK?
From what I hear, this isn't compatible with WPA3? Someone correct me if I'm wrong? This is a bit of a dealbreaker for me as it limits adaptopion of WPA3 for devices that now support it.
What version of unleashed were you using in this video? I don't have a place to input the vlan id and after doing some reading some of the unleashed version broke this feature.
I'm currently running 200.14.6.1.203 and it seems to be fine. Where about are you not seeing the VLAN option? On the PSK creation page in browser or in the CSV template once you've downloaded it to do a batch upload?
I don't seem to have a vlan option either place and as far as I know I have everything setup on the ssid page. I am on an older unleashed version so I think I will try using the same one as you in the video.
Edit: Updated and now all the options are there and working.
PPSK has now been rolled out to unifi, however it's restricted to WPA2 and you can't use it if using WPA3, and also only on 2.4Ghz/5Ghz i assume this is not a unifi limitation, is this also the case with the Ruckus?
Interesting - I'm actually about to work on a video looking at UniFi's PPSK. Thanks for pointing out the 6GHz limitation, I'll be sure to shout you out for that in the video - I'd be testing it out with a WiFi 5 NanoHD so I'd have never noticed this! Ruckus is similar in that DPSK only works with WPA2 and as far as I can tell, 6GHz requires WPA3 hence why it doesn't support PPSK. It does make me wonder if PPSK/DPSK's technology's days are numbered or if there is some way to get it to work with WPA3 going forwards. I can see some mention online of Ruckus introducing WPA3 DPSK compatibility on their WiFi 6E access points, however the documentation is pretty terrible so I can't see whether it'll work the exact same as I have here or whether it works differently.
@@camerongray1515 i guess the question is, does being able to use PPSK trump being able to use WPA3 and 6Ghz, i guess at this point probably not, but i'd rather be able to use WPA3 i think
Yeah - it does seem like a shame and if I had a WiFi 6E AP I wouldn't want to miss out on the 6GHz band for PPSK! What I could see as a reasonable compromise would be to have a pair of SSIDs - one using WPA3 across all bands for your main LAN for your regular devices. Then having a second SSID set up for PPSK on the 2.4 and 5GHz bands using WPA2. This second SSID could then be used for things that you'd want to use PPSK for (guests, IoT devices, cameras.etc)
It seems like those newer Alta Labs access points primarily use DPSK rather than multiple SSIDs. It’s a really cool idea!
Another issue with MAC-based authentication more generally is so-called ‘Private Wi-Fi Addresses’, which I think are most common on Apple devices. In this case the device randomises the MAC address for each network it connects to making these protocols much more difficult to use. It also disrupts the user experience for them to have to turn off that option specifically.
Randomized MAC address has been default on Android for years.
Anything like that on mikrotik?
Yes, but I think it is only possible with separate radius server. Apalrd's adventures had a video on that. Tall paul tech has one on aruba(radius needed). Setting it up on openwrt is also possible, no gui yet though, and radius also needed.
What would the separate VLANs be useful for in a home setting?
Realistically you want to seperate things like smart home/IoT equipment from everything else as an example.
Yeah, while it's not absolutely essential, it's nice to be able to separate out things. For example, I have a separate network for guests that can't access certain things, and separate IoT network for devices that I don't necessarily trust the security of. I then have a second IoT VLAN for IoT devices that only require LAN access and do not need access to the internet - these are very off-brand devices that I don't trust the security of so stopping them from access the internet feels like a good idea. Additionally, if you have outdoor IP cameras, it's not the worst idea to isolate them to their own VLAN rather than having a bunch of network cables on your main network accessible on the outside of the property. Of course, the risk of not isolating devices in this way in a home environment is relatively low, however I always like to run my home network in the same way that I would if it was being used by a business - I'd rather overengineer it from a security perspective than underengineer it.