Do you love segmenting your network into as many subnets and VLANs as possible? Do you have too many Wifi networks for all of your special flower IoT devices that can barely speak IP, let alone fend for themselves on the wild internet? You could use WPA EAP Enterprise Authentication, but good luck getting your smart toaster to log in. The solution I’m playing with is called Private Pre-Shared Keys, where each client can potentially have their own passphrase and VLAN assignment for the same SSID, and the client just has to support normal passphrase authentication.

For this video, I’m using a Mikrotik wAP AC with RouterOS 7.8. I’d like to try OpenWRT in the future, but as of the making of this video it’s not quite ready.




Full Mikrotik Config Export

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=\
    SpaceLasers wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=\
    BillWiTheScienceFi wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    radius-called-format=ssid radius-mac-authentication=yes \
    supplicant-identity=MikroTik tls-mode=dont-verify-certificate
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface bridge vlan
add bridge=bridge tagged=ether1,wlan2,wlan1 vlan-ids=9
/ipv6 address
add address=2001:db8:beef:cafe:ba69:f4ff:fe78:5a22 eui-64=yes interface=bridge
add address=2001:db8:beef:cafe::420 service=wireless
/system identity
set name=WAP

Full FreeRADIUS Configuration

authorize File:

#MAC is a specific value, SSID has specific value
FC:D4:36:B3:00:33 Called-Station-ID == "BillWiTheScienceFi", Auth-Type := Reject

#MAC has specific value, also pass a unique PSK and VLAN ID
FC:D4:36:B3:00:33 Called-Station-ID == "SpaceLasers", Auth-Type := Accept
        Mikrotik-Wireless-Psk = "ClientKey",
        Mikrotik-Wireless-VLANID = 9,

#MAC matches by OUI FC:D4:36 (Motorola, my test phone)
DEFAULT User-Name =~ "^FD:D4:36", Auth-Type := Accept
        Mikrotik-Wireless-Psk = "Motorola"

#MAC is locally defined (starts with one of x2, 06, xA, xE))
DEFAULT User-Name =~ "^[\dA-F][26AE]", Auth-Type := Accept
        Mikrotik-Wireless-Psk = "RandomKey"

#MAC is a specific value, reject user
FC:D4:36:B3:00:33 Auth-Type := Reject

#Any other users (you don't have to accept them)
DEFAULT Auth-Type := Accept
        Mikrotik-Wireless-Forward = 1,
        Mikrotik-Wireless-Psk = "GenericKey"

Also, the clients.conf:

client lan {
        ipaddr = 2601:40e:8101:6820::/64
        secret = CorrectHorseBatteryStaple