I have a use-case where a bunch of my remote devices are connected to a 2.4GHz WiFi network on a router. The SSID and password are known to these devices. Due to security reasons, the passwords need to be updated on a regular basis. Is there an existing framework/mechanism that will help communicate this in advance to all the connected devices? All devices are remote and cannot be (realistically) physically updated. It'd be great if someone could point me to some literature about this.
Asked
Active
Viewed 137 times
0
-
1Your use-case has already been discussed here: https://stackoverflow.com/q/26032364 Maybe it answers your question. – digijay Jun 04 '20 at 07:37
-
1A question for you to think about, assume a unauthorised device is already connected to the network when the updated password is broadcast. How does this approach stop that device from receiving the new password and also updating. – hardillb Jun 04 '20 at 08:05
-
@hardillb That is an interesting situation, where a bad actor already is part of the network and then could potentially receive the updated. I imagine such a scenario is handled in an established framework via certificates of some kind – rookie Jun 04 '20 at 18:12
-
@digijay The link asks a similar question. Except in my case the network is not open and only known devices can access it. I could potentially also have a server that informs the clients on a network of a "scheduled" change, though an abrupt change could be catastrophic. – rookie Jun 04 '20 at 18:17
-
2@rookie if you already have certificates then you don't need WiFi passwords, WPA Enterprise does it all for you. – hardillb Jun 04 '20 at 18:20
1 Answers
2
The usual way to handle this is to use WPA2-Enterprise, which uses IEEE 802.1X to authorize users against a RADIUS server or some other authentication provider. This way, your devices all authenticate using their own credentials, with the keys being rotated per authentication.
This however requires support for this mechanism in your devices, which might not always be available.
Stuggi
- 3,506
- 4
- 19
- 36
-
Thank you for the suggestion. I will read up on it. Assuming I could implement it on the client devices, it seems the RADIUS server will inform all clients automatically of any potential credential changes? – rookie Jun 04 '20 at 18:31
-
The credentials don't change, but as they are unique to each device, you can revoke them for that one device if it's compromised and then you only need to manually update that device (or replace it as compromise normally means it can never be trusted again) – hardillb Jun 04 '20 at 18:47