Meraki

Community

Is Identity PSK without RADIUS with 802.11r Secure?

Laz
Conversationalist
‎Feb 8 2022 7:33 PM
‎Feb 8 2022 7:33 PM

Is Identity PSK without RADIUS with 802.11r Secure?

I know 802.11r is a no go with PSK due to security issues, but is it safe to use with Meraki's implementation of Identity PSK without RADIUS?

0 Kudos
7 Replies 7
MarkB2
Here to help
‎Feb 8 2022 7:46 PM
‎Feb 8 2022 7:46 PM

iPSK is really just MAB with the PSK in as an attribute in AuthZ when used with ISE. I think the Meraki implementation is essentially the same as that but Meraki cloud is the RADIUS server.. I do not receive the Dashboard security warning when configuring 802.11r and using iPSK without RADIUS

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 9 2022 3:56 AM
‎Feb 9 2022 3:56 AM

The security issues are from around 2018 and are resolved on all actual APs and you can use 802.11r with PSK or iPSK. IMO only older AP-models like the MR32 didn't receive the firmware fixes. But don't expect a relevant improvement when using iPSK. There is no lengthy EAP exchange that can be removed by using 802.11r.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
skjoedt
New here
‎Apr 26 2022 1:32 AM
‎Apr 26 2022 1:32 AM

Can you tell me how and in which software version Cisco Meraki managed to resolve the KRACK vulnerability with 802.11r and PSK? 🙂

I can't seem to find any documentation that suggests that the vulnerability is fixed and the dashboard still advertises a warning for this vulnerability 🙂

0 Kudos
In response to skjoedt
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 26 2022 1:47 AM
‎Apr 26 2022 1:47 AM

https://documentation.meraki.com/General_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-1...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
skjoedt
New here
‎Apr 26 2022 2:20 AM
‎Apr 26 2022 2:20 AM

Hello Karsen

Thanks, just what i needed! 🙂

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Feb 9 2022 8:50 AM
‎Feb 9 2022 8:50 AM

iPSK can basically be treated the same as PSK and so you should not use 802.11r with it.

However the difference in this implementation is that the AP has to brute force the received response to the anonce with all it's stored PSK combinations.  I'm not sure if having alot of iPSK's impacts the time the AP can respond to the EAPoL 2 message and thus slowing down the roaming.

If an expert could chime in, that would be great.

0 Kudos
In response to GIdenJoe
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 9 2022 9:26 AM
‎Feb 9 2022 9:26 AM

So lets see how it differs between a match on the first iPSK and the 50th (the maximum Meraki allows):

 

4-Way Handshake with a passphrase matching the first entry:

image.png

4-Way Handshake with a passphrase matching the 50th entry (at PSK 20 I asked myself why I didn't use the API to configure this):

 

CleanShot 2022-02-09 at 18.17.20@2x.png

I would say it's completely inside the statistical tolerance and doesn't play any practical role.

 

When planning to use iPSK without RADIUS or not, it should be considered that it restricts the SSID from being used with WPA3 if that is desirable at a later time. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.