The fact that our engineering team was able to provide a highly-secure, easy-to-use, and widely-supported (a perfect trinity!) feature to solve such an obvious problem really deserves a standing ovation. Let's get into the details a bit.
As far as Wi-Fi networks go, they really fall into 2 categories: Secured or Not.
The problem is, the definition of a "secure" wireless network is extremely fuzzy. Take WEP for example. A few years ago, a WEP-enabled network was considered "secure". Now we all know that is really not true anymore (pretty sure there's an app that can crack WEP in under 2min now), but arguably it's still more secure than no password or encryption at all.
So what is "Secure"?
Arguably the gold standard in Wi-Fi security is WPA2-Enterprise, also known as 802.1X. This is the Mac Daddy of security mechanisms. Each user/client is individually authenticated, authorized for access based on identity, and can be held accountable for what they did on the network. Every single packet sent between that user and the access point is secured by a unique password that only the Wi-Fi client (sometimes called a supplicant) and the authentication server (usually RADIUS) know.
This means even if someone were to steal a person's credentials and gain access to the network, the hacker STILL couldn't sit there and see what the rest of the clients are doing because it's all individually encrypted! Also as an administrator it is super easy to de-auth and disconnect the suspected abuser and everyone else on the network continues to operate normally.
The problem with this amazingly secure and fabulous technology is that sometimes it's really hard to set up and support.
- First you need an authentication server with a user database.
- Then you need to ensure every user or client you want connected has a username/password.
- Then, on top of all that and usually the big deterrent for 802.1X - it takes certificates.
Some protocols like PEAP and TTLS make it slightly easier by only requiring server-side certificates, but as an administrator you still need to make sure every single client connecting to your wireless network is ready to accept that server certificate as valid. This is daunting, especially if an administrator isn't a certificate expert or the clients are all mixed and matched (BYOD anyone?). Some clients - especially legacy clients and many phones - simply don't support 802.1X capability.
Another issue is guest access - how do you get a valid username/password to each guest who wants to connect to your wireless network?
So, given the overhead of installing and managing an 802.1X-secured Wi-Fi network, most people just default to WPA2-Personal, also known as a Pre-Shared Key or PSK. This means all the users share a single key to access the network as well as all permissions to the network since every user has the same credentials. While this provides encryption between the client and the access point, there is no authentication for individual users. Even if an administrator takes great pains to ensure this key is highly secure and difficult to remember (which inherently compromises usability), it still comes with a pretty heavy security hit.
- First of all, everyone sharing the same key means everyone authenticated to the Wi-Fi network can see any other user's traffic! All it takes is a free sniffer and every single thing sent between the client and the access point is visible to any authenticated user.
- It also means that if a person leaves the company or the password is otherwise compromised, the administrator has to change the key for ALL users and devices (let's be honest -how often do you think that happens?) since everyone uses the same key.
- And like I mentioned earlier, since there is no way to differentiate between clients, they all share the same network permissions (note: Aerohive does have an amazing network-based Mobile Device Management (MDM ) feature that allows for differentiating between device types which can be used with a PSK, but you still can't differentiate between users).
So enter Aerohive. Since we're so into solving problems (not World Peace, just World Domination), our brilliant engineering team managed to find a way to get the ease of use and deployment inherent to a Pre-Shared Key network but still provide the security, manageability, and accounting capabilities of 802.1X. It's almost like the Wi-Fi Alliance should grant us our own standard - WPA2-PersonalEnterprise! .
Aerohive Private Pre-Shared Key gives administrators a way to assign a unique, revocable key to every single user or client (or both) on the network. This means you can identify a user or groups of users based on the key they're using and assign different permissions. It means if a user leaves the company, you can quickly and easily remove the key and it can't be used by anyone else. It means every client that supports a PSK (just about all of them) can now be configured to securely connect to the Wi-Fi network. It means that users cannot use a sniffer to see each other's traffic. And best of all, it is easy enough to setup and deploy that anyone can do it! There are no certificates, no RADIUS servers, and no complex supplicant configurations required. Since 4.0, Aerohive has even supported a Self-Registration capability for Private Pre-Shared Key, allowing a user to sign up for a PPSK using a simple registration form or even an authenticated Captive Web Portal that checks user credentials against Active Directory (or Open Directory, eDirectory, or LDAP) .
Oh wait, one more thing - like everything else Aerohive, this feature is totally, completely, 100% free with the purchase of any Aerohive access point or branch router. Now there's no excuse for insecure Wi-Fi networks - Aerohive has provided the ultimate way to get every user and every client connected with unique, revocable, and completely secure keys to the Wi-Fi Network. Didn't I mention World Domination?