[transpute]

A middle ground in complexity is WPA3 with a unique passphrase per VLAN, which allows grouping of devices by risk, or even giving each device a unique identity for access control and traffic management.

OSS golang reference code is available, https://news.ycombinator.com/item?id=38402289

  VLAN tagging per SSID is a valid approach as well if a router supports it. Thats a lot stronger than how many routers implement their guest isolation.

  As for Multi-PSK -- the use case is creating micro-segmentation in a network with zero-trust, where the identity on the network is rooted in that password.

  Without Multi-PSK, if it's not clear, every device that has the WiFi password can sniff encrypted traffic with WPA2, make a Rogue AP to attack WPA3 in case its in use, and can perform ARP spoofing on the network to interfere with other devices.

[zamadatix]

I wish more consumer devices supported multiple PSKs on the same SSID. It's a handy feature much better for airtime than creating multiple separate SSIDs and much better for sanity than 802.1x user or cert auth.

[bscphil]

> I wish more consumer devices supported multiple PSKs on the same SSID

Could you name any enterprise APs that do this, short of running your own custom AP software? As far as I know (would love to be corrected on this), Unifi APs can't do this, and they're at the very least "prosumer".

[soraminazuki]

It seems that feature has been added in a recent update.

https://community.ui.com/releases/UniFi-Network-Application-...

[andrewmunsell]

I was very excited by this, but I found that some of my dumber IoT devices would refuse to connect to the network if it used PPSK. If I connect them to a separate SSID I use for IoT devices with a basic WPA2 PSK, they work totally fine, but I didn't dig too much so it could also be user error

[wkat4242]

I did not know that. Wow nice. Having so many SSIDs is drawing attention to all the equipment in my flat.

However I guess this feature is WPA3 only which means I'll still need the SSIDs for years to come :'(

[neilalexander]

The opposite in fact. It only works with WPA2 which means that you cannot combine it with Wi-Fi 6E or use it on any WPA3-enabled SSID.

[wkat4242]

Ah ok, strange that the feature is only becoming mainstream now (as in added by Unifi, and I never heard of it before). It's very good to hear actually because most of the devices I want to have on separate VLANs are quite dumb (IoT home automation stuff in particular) and they won't have WPA3 (and often even only have 2.4Ghz).

[zamadatix]

Aruba, Cisco, Extreme, Mist, Ruckus. The first I saw use it was Aerohive (now part of Extreme) and it took the enterprise market by storm about 5 years ago. For most enterprise deployments 802.1x (either username+password or certificate) makes more sense but once you get into BYOD land (say, senior living) not all devices support that (say an Xbox) but you still want to give a user a way to connect anywhere they go not just their main living area. Similar with the BYOD network on schools, give out the PSK to anyone staff and a year later the kids all have it and you have to change every PSK only device to a new PSK manually to fix it. Use multiple PSKs to give different groups of devices different PSKs, and even different staff different keys, and you not only contain the problem but can actually narrow down on the worst leak offenders as well.

[amluto]

Ruckus: https://docs.ruckuswireless.com/unleashed/200.3/c-ZeroITandD...

[dgl]

Doing multiple PSK / PPSK is not compatible with WPA3 (at least as supported by most APs today*, as WPA3 requires management frame encryption), so you limit to WPA2 only, therefore you're better off just having multiple SSIDs with WPA3 support. (Also that way you can have a "secure" network which is WPA3 Personal only, much easier than using WPA Enterprise and gives a reasonable level of security for home use.)

*: In theory password identifiers (https://www.gabriel.urdhr.fr/2022/06/07/impact-of-the-differ...) could be used with WPA3-SAE, but I don't know how good the support is currently...

[rnhmjoj]

hostapd has supported multiple SAE passwords and identifiers since 2019; it even allows to bind a password to a specific MAC address and VLAN id. Since most AP software is just hostapd wrapped up in some GUI, if they don't support these features it's probably just due to lazyness on the vendor part.

[cmpxchg8b]

My home network is so small I just use MAC VLAN policies on my managed switch. Same SSID and PSK for all devices makes it easy and they all go off onto the untrusted VLAN by default.

[rainsford]

That's an interesting idea, but it seems (without having played around with it or knowing you specific setup) like it comes with some security tradeoffs. In particular, MAC spoofing would be an effective way to VLAN hop, if not necessarily a threat you're worried about. It also seems like there is a possibility that devices connected to the same AP could talk to each other without having to go through the switch, bypassing the VLAN tagging entirely.

I'm honestly not sure if the second attack would work or if it would be AP specific, but I imagine most Wifi to wifi traffic through the same AP does not make a round trip through the Ethernet port. This wouldn't be an issue if the AP itself was applying and enforcing VLAN tags, but the MAC spoofing problem would still be an issue.