

Ever heard one vendor praising a competitor in public? Well, here it comes.
Not only did Aerohive recently give us a great a new CFO but they recently announced a very familiar (and well-loved) wireless security feature they called “Private PSK.”
It's almost identical (but not) to our own Dynamic PSK (so we were very flattered). But they've added some very cool knobs.
Like our Dynamic PSK technology, Private PSK fills a gap between WPA-PSK (pre shared key) technology and WPA enterprise mode (802.1X).
You’re probably familiar with WPA-PSK already, practically every consumer-grade wireless AP lets you setup WPA-PSK encryption where you define a key on the AP. Any wireless device that tries to connect to that network will need to type in the same key to connect. This technology has been widely implemented because it is easy to deploy and understand.
While WPA-PSK works fine in a small environment, when you have multiple people sharing the same key, in a company for example, you start to have problems keeping the key a secret. What's more, if the key is ever compromised, the only way to re-secure your network is to change the key on the AP (easy enough). But then you’ll have to update the key on every client device manually (major suckage).
WPA Enterprise (another way to really say 802.1X) solves this problem by requiring that clients authenticate against a RADIUS server first before they are allowed onto the network. Every user has a different username and password on the RADIUS server somewhere. So if a user needs to be revoked, the administrator can delete their entry. All of the other users would remain unaffected by the change.
In the real world, this can be exceedingly complex to deploy and manage. Many companies don’t have RADIUS servers, so one will have to be setup and maintained. Furthermore, the setup on the client side is very complex. Instead of typing in a single key like you would with a WPA-PSK secured network, multiple configuration adjustments need to be made (eg. the client computer must also have a certificate installed that is used to check against the certificate listed in the server).
In a typical 802.1X configuration this can easily add up to ten separate steps. This frustrates users and puts an increased burden on systems administrators who will need to assist each user in configuring their device. And devices that don't support WPA Enterprise remain unsecured with this approach.
Our Dynamic PSK (as well as Aerohive’s Private PSK) takes the "best of both worlds" approach to solve this security dilemma. See fairly fair comparison chart.
Administrators can choose to enable Dynamic PSK and have the system automatically generate a unique key for each user. Our approach actually downloads and installs the PSK automatically on the client along with the requisite SSID - and we bind the Dynamic PSK to the MAC address of a given device.
Aerohive's lets you manually generate keys or groups of keys that can be emailed and there's no need to login - but users still must install the key (also note that Aerohive's Private PSK requires the HiveManager appliance and the Guest Manager application to fully function which is kinda weird given their religious bent toward a "controller-less architecture"...but whatever we have our own problems).
Each user can then use their own unique key to connect to the wireless network, just like a traditional WPA-PSK network.This is especially convenient for devices without a WebUI. If a key is compromised, administrators can choose to selectively revoke that single key and generate a new one to replace it.
All other keys remain valid, so other users do not need to take any action in this case. Another advantage of this approach is on devices (such as mobile phones) where WPA Enterprise security is either very complex to setup or missing entirely. With AeroHive's implementation, a Private PSK can be used on multiple
devices at the same time and each of these devices is shown as a
different session when looking at their HiveManager management system.
With these new approaches users just need only enter their unique key into the device and they are ready to go.
But with Aerohive's Private PSK, administrators can choose to go a step further. They can assign user-based policies based on their key. In this way, different users, even if they are connecting to the same SSID, can have different VLAN, QoS or firewall settings depending on what key they use to login. That’s cool.
So whether it’s theirs or ours, ultimately the simplicity that these technologies bring to wireless LAN security is truly game changing. Administrators will be able to maintain user-level control of encryption keys without the cost and complexity of deploying a full 802.1x RADIUS authentication system.