DPSK in 3.2
Alan DeKok
aland at deployingradius.com
Mon Jun 19 16:12:43 UTC 2023
I've just pushed patches to make DPSK work in 3.2. The module configuration is available on GitHub:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/dpsk
The work isn't quite done yet, but the module works. The one remaining piece is to cache the identity associated with the PSK.
As background, some AP vendors permit dynamic PSKs for WiFi access. This uses WPA-PSK, but the PSK is permitted to be different for different users on the same SSID.
There are some issues with DPSK. In short, don't use it. It usually requires the server to try all possible PSKs before finding one that works. This process can be ver very slow.
i.e. a reasonable modern system can do 100,000 of these PSK tests per second. So if you have 100,000 individual PSKs, then it can only handle one packet per second before the CPU maxes out. If you have 100 PSKs, then you're limited to 1000 packets per second.
And that's doing nothing other than PSK checks. So the numbers are likely to be much lower than that in practice.
To help with this performance issue, the module can cache PSK entries in memory. The first time it finds an unknown MAC, it has to brute-force the PSK. But once the PSK is found, the module caches the MAC+SSID+PSK.
The next time it receives a packet for that MAC+SSID, the module finds the cache entry, and uses it.
We've made it as good as possible considering the limitations of DPSK. But we still recommend that people don't use it. The DPSK functionality is simply broken, and there is really no way to make it efficient.
Please see the module configuration for more details.
Alan DeKok.
More information about the Freeradius-Users
mailing list