Private Pre-Shared Key: Simplified Authentication
Technology Behind the Solution
Organizations that are planning wireless LAN’s to support corporate devices, BYOD, guest access, may be struggling to find the balance between flexibility and security. Though using IEEE 802.1X is the most secure approach to Wi-Fi authentication, this method is typically only implemented for devices managed by IT. For BYOD, contractors, or guests, the IT staff may not have the access, time, or knowledge to provision certain devices. Alternatively, Pre-Shared Key’s offer organizations simplicity, however, with every device sharing the same key across an SSID, the ability to control and monitor individual devices is lost. Additionally, if the key is compromised, it must be changed on every single device that uses it which is not scalable.
Benefits
- Simple key creation, distribution, and revocation saves administrator time plus reduces the cost and complexity of using a single PSK or trying to get hard-to-configure devices online using 802.1X.
- Guests can be given unique keys, thereby eliminating the risk of one guest eavesdropping on another. In addition, entering a PSK is often simpler than loading up a captive web portal and entering a username and password.
- If a person leaves the company, classic PSK requires that the key be reset for all users, which can be an IT support burden. With Private PSK, just that one user's key can be revoked.
- Many clients do not support 802.1X or the latest WPA2 standard with opportunistic key caching required for fast roaming between APs. With Private PSK, those clients can see significant performance increases with roaming.
- Many legacy clients don't support 802.1X but most will support WPA-PSK. Those clients can be made secure without a costly client and application upgrade.
| Wireless LAN Requirement & Features | PSK - WPA/WPA2 Personal | Private PSK - WPA/WPA2 Personal | IEEE802.1X - WPA/WPA2 Enterprise |
|---|---|---|---|
| No complex configuration required for clients | |||
| Unique Keys Per User on Single SSID | |||
| Can revoke an individual user's key or credentials when they leave the company or their wireless device is compromised, lost or stolen | |||
| Supports different VLAN, QoS, Firewall or Tunnel policy for different users on same SSID | |||
| Does not require certificates to be installed on clients | |||
| Uses 802.11i standard mechanisms for securing the SSID | Depends on Client | ||
| Keys are dynamically created for users upon login to the network and are rotated frequently | |||
| Can be used to perform machine authentication | |||
| If one user is compromised, no other users keys can be compromised |
Personalized Access
Aerohive's Security Suite
Private PSK - Simple and Secure
A simple yet powerful authentication method:
- 1000’s of unique Pre-Shared Keys per user or device within a single SSID
- Customizable security policies per PPSK group including VLAN assignment, time of day access, bandwidth allocation, and firewall settings
- Revoke a single key without affecting the rest of the network
- Self-registration against AD for personal BYOD
- Time-based key validity for guest access
Application Visibility and Control
Provides IT with visibility and granular control over mobile applications:
- Prioritize and control of specific applications based on user and device identity
- DPI firewall built-in to all Aerohive Access Points to restrict usage of social, peer-to-peer, streaming and other troublesome applications
- QoS classification engine to enhance performance of mission critical applications such as voice and video
- Monitor application usage per user, device, SSID, and location in HiveManager’s powerful contextualized dashboards
BYOD and Guest Management
Cloud-based ID Manager application enables simple and secure on-boarding of transient and personal devices:
- Allow employees to sponsor guests or their own personal devices by creating accounts individually or in groups
- Credentials can be securely delivered by SMS to any mobile device, anywhere in the world
- Multiple secure access profiles – from short-term guests to fully-secure employee BYOD or personal devices
- Employee approval for guest self-registration
- Integrates existing RADIUS authentication systems to streamline deployments and meet compliance mandates
Protection Inside and Out
With a range of protection services built into every access point, you can safely unleash mobility throughout your organization:
- Fully stateful layer 2-7 firewall policies personalized to specific user groups or devices
- On-board RADIUS Server, CA and AD integration to leverage existing user database
- OS/Device classification engine enables granular policy enforcement
- Scheduled SSID availability
- WIPS policy for rogue detection and mitigation
- TPM chips inside every AP encrypt precious data from physical theft
- GRE and VPN tunneling to DMZ or remote locations
- Comprehensive monitoring and reporting
End-to-End Security
With a rich set of partner integrations and API’s, administrators can seamlessly extend mobile device security beyond the edge of the network:
- MDM partnerships with AirWatch and JAMF enable secure self-enrollment of device profiles and restricted network access of non-registered devices
- NAC integration with Impulse, Bradford, and Lightspeed to enforce device compliance