In a recent project, we were asked how we could have data segregated between different organisations using the same access point and supported by a different independent switching infrastructure.
This is actually far more common than not, as network refresh cycles can sometimes be based on best of breed technologies or on inherited technologies through merger activity. In situations where you are mixing different vendors technologies, it’s important to ensure the partner you are working with understands how the integration will work – not just today, but in the future.
The answer included NAC, VLAN, VRF, ACL and a whole bunch of other acronyms, but I don’t want to give everything away. As we were using Extreme Networks XIQ solution, there is one other I will mention, PPSK or Private Pre-Shared Key.
PPSK is something I used to talk about when answering the question “why should I choose Aerohive to replace my existing wireless vendor”. This is a valid question as there are a lot of network vendors, and they all have features and benefits. When Extreme Networks acquired Aerohive we had a lot more to talk about with a full Cloud-to-Edge portfolio of products. However, I PPSK is still relevant to the conversation.
Some customers have already implemented 802.1X, or don’t have those legacy devices or IOT devices on the network. As such, they don’t have a need for 802.1X implementation and don’t have a need for WPA2 Personal (pre-shared key) security on their wireless network. Fantastic, that’s one less complexity for the project. For others though, they can see the advantage of PPSK over standard pre-shared key implementations and want to learn more about how it can help.
Some potential issues with standard PSK (WPA2 Personal)
The key is the same for all devices connecting to the SSID/WLAN. This means that if the key is compromised, anyone can connect to the wireless network. This means that if an employee leaves, or you have to change the key for any other reason, you have to change the key on all the devices that connect to that SSID/WLAN. Not the end of the world, but an inconvenience that neither IT nor the end users need.
Identity can be hard to determine since every device is using the same key. You could keep a running list of MAC addresses and use that to determine who a given device belongs to, but that creates an administrative burden and asking Dave in logistics what his MAC address is sounds like the start of a conversation you know you’re going to regret having.
Why not use 802.1X?
Without getting too technical 802.1X (WPA2 Enterprise) is more secure than pre-shared key (WPA2 Personal). The issue of keys getting compromised is taken care of through the use of dynamic encryption keys. These are used in the authentication process and are unknown to the user of the wireless client authenticating with 802.1X. Identity is also very easy to determine when devices authenticate with 802.1X, so troubleshooting is a lot easier.
Logically then, every device should authenticate with 802.1X rather than use WPA2. However, this doesn’t occur for a number of reasons. First, 802.1X is not the easiest thing to implement. The IT world is not overflowing with people that know how to setup authentication back ends using RADIUS, certificates, directory services, etc.
Not all devices support 802.1X. While the large majority of laptops, tablets, and smart phones support 802.1X, there are literally billions (and more each day) of devices that don’t have 802.1X capabilities. The vast majority of IOT devices or old devices with outdated network infrastructure or highly specialized devices with an incompatible OS (such as some medical equipment), some devices simply can’t integrate into an 802.1x network.
PPSK technology bridges the gap between the standard PSK implementation and 802.1X. You still use pre-shared keys to access the network, but under a single SSID/WLAN, you can have a range of different keys. Each client device, or group of devices, can have their own unique key (your choice). Whether you need one key, one hundred keys, one thousand keys, or more; they can all exist under a single SSID/WLAN.
So what about that earlier situation where a shared key gets compromised? You can simply invalidate that one key. You don’t have to change the key on all devices using the same SSID/WLAN since they are using a different key, a unique personal key. As identity is tied to the key being used, you know who is connecting to the network based on the uniqueness of their key in the same way that certificates and usernames and passwords are used to determine identity with 802.1X.
With XIQ, you can have your 802.1X SSID, your guest network and a catch-all PPSK SSID for anything that would connect with a pre-shared key. So PPSK provides you with more choice without introducing more complexity.
What about the future?
Post-acquisition by Extreme I then got to talk about Fabric and the LAN side of things. Extreme’s Campus Fabric technology is ideally suited to providing a flexible, agile and secure network in a multi-tenanted environment. Fabric allows a ‘service’, for example a VLAN for one of the on-site organisations, to be automatically provisioned when one of the organisation’s devices associates to an AP.
With Fabric there is no need to configure the organisations’ VLAN end-to-end across the Core/Distribution/Edge devices, this is performed automatically within the Fabric, using Shortest Path Bridging (SPB). Fabric is going to be introduced into XIQ for the latest generation of APs shortly, so the conversation is constantly evolving.