How to Implement User-Specific Wi-Fi Authentication with Unique Passwords per Device


2 views

Network administrators in enterprise environments often require more sophisticated authentication than standard WPA2-PSK can provide. The traditional single-password approach creates security vulnerabilities when credentials are shared improperly and makes it impossible to revoke individual access without changing the password for all users.

// Example RADIUS configuration snippet for FreeRADIUS
authorize {
    if (User-Name =~ "@example.com$") {
        update control {
            Cleartext-Password := "%{User-Name}"
        }
        ok
    }
}

For businesses needing robust solutions, these approaches work best:

  • 802.1X Authentication: Requires RADIUS server (FreeRADIUS, Microsoft NPS)
  • Captive Portal Systems: Solutions like PacketFence or pfSense captive portal
  • Cloud-Based Wi-Fi Management: Platforms like Cisco Meraki or Aruba Central

Smaller operations can implement a basic version using:

# MikroTik RouterOS script example
:foreach i in=[/user find] do={
    /interface wireless security-profiles add name=("wifi-user-" . [/user get $i name]) \
    wpa2-pre-shared-key=([/user get $i password]) \
    management-protection=allowed
}

When implementing per-user authentication:

  • Always use WPA2-Enterprise when possible
  • Regularly audit and rotate credentials
  • Implement MAC address filtering as secondary control
  • Consider certificate-based authentication for highest security

Standard WiFi networks typically use a single shared PSK (Pre-Shared Key), creating security and management challenges. When you need to:

  • Revoke access for specific users without disrupting others
  • Track individual device usage patterns
  • Implement tiered bandwidth allocation
  • Meet compliance requirements for guest networks

We need a more granular authentication approach.

Option 1: RADIUS Server Integration

The enterprise-grade solution using FreeRADIUS with EAP authentication:

# Example FreeRADIUS user entry
"john.doe" Cleartext-Password := "S3cr3tP@ss2023"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 101

Option 2: Dynamic PSK (DPSK) Systems

Vendor-specific implementations like Cisco Identity PSK or Aruba Private PSK:

# Aruba CLI configuration example
wlan ssid Corp-Guest
  dpsk
    dpsk-key foobar key ascii 0 MyDpskPass123
    dpsk-key foobar vlan 30
    dpsk-key foobar lifetime 86400

For Linux-based access points with hostapd, we can implement MAC-based credentials:

# /etc/hostapd/hostapd.conf
macaddr_acl=1
accept_mac_file=/etc/hostapd/accept_mac
deny_mac_file=/etc/hostapd/deny_mac

# /etc/hostapd/accept_mac
00:1A:2B:3C:4D:5E secret_password1
00:1B:2C:3D:4E:5F secret_password2

Modern WiFi systems like Ubiquiti UniFi offer per-user credentials through their controller:

// UniFi API example for creating guest credentials
POST /api/s/default/cmd/hotspot
{
  "cmd": "create-voucher",
  "expire": 1440,
  "note": "Client: John Doe",
  "quota": 5,
  "up": 1024,
  "down": 512,
  "bytes": 1073741824
}
  • Always use WPA2-Enterprise or WPA3 when possible
  • Implement proper password rotation policies
  • Consider combining with 802.1X authentication
  • Log authentication attempts for audit purposes

Python script to generate and rotate credentials:

import secrets
import subprocess
from datetime import datetime

def generate_psk(mac_address):
    base_key = "COMPANY_PREFIX_"
    random_part = secrets.token_urlsafe(6)
    valid_until = datetime.now().strftime("%m%d")
    return f"{base_key}{random_part}_{valid_until}"

def update_radius_db(user, password):
    with open("/etc/freeradius/users", "a") as f:
        f.write(f'\n"{user}" Cleartext-Password := "{password}"')
    subprocess.run(["systemctl", "restart", "freeradius"])