Recently, solutions offering MPSK-RADIUS services have gained traction in various deployment environments, including MDUs, parks, and venues. These systems provide a versatile solution, enabling user authentication, accounting, and attribute assignments such as VLANs, rate limiting, and quotas, all without requiring EAP support.

Some solutions, like those built on Passpoint 2.0, offer a smoother user experience by enabling seamless connectivity with zero user intervention. However, these solutions require EAP support, which is often lacking in low-end devices such as IoT devices. As a result, these devices cannot take advantage of the benefits provided by Passpoint 2.0-based solutions.

On the other hand, MPSK-RADIUS systems are based on the most common and basic security protocol in Wi-Fi, PSK (Personal), which is supported by virtually every device. In MPSK-RADIUS deployments, from the client’s perspective, there is no visible RADIUS server. Clients perform simple WPA or WPA2 Personal authentication using passphrases entered by the users.

In a traditional MPSK-RADIUS system, the AP does not have knowledge of the passphrase. Instead, a RADIUS server is configured with a list of MAC addresses and their corresponding passphrases. When a new client tries to connect to the AP, it goes through the open system authentication and association processes. Afterward, the AP initiates the 4-way handshake:

• The AP sends EAPOL-Key message 1, which contains the ANonce.
• The client generates the SNonce and, using it alongside the passphrase (which is expanded based on the SSID to become the PMK, where PMK = f(PSK, SSID)), generates the PTK and its derivatives (KEK, KCK, and TK).
  • PTK = f(PMK, Client MAC, BSSID, ANonce, SNonce)
• The client installs the PTK, constructs EAPOL-Key message 2 by adding the SNonce, and uses the KCK to calculate a MIC for the message payload.
• In a typical WPA2 Personal scenario, the AP would use the same inputs to calculate the PTK and verify the MIC based on the KCK. However, since the passphrase is stored on the RADIUS server, the AP forwards the entire content of EAPOL-Key message 2 to the RADIUS server in an Access-Request message.
• The RADIUS server searches for a matching MAC address in its list. Once a match is found, it uses the passphrase and the information from EAPOL-Key message 2 to calculate the PMK. The RADIUS server then sends the PMK to the AP in an Access-Accept message.
• With the PMK, the AP can either use the existing ANonce and SNonce to calculate the PTK and its derivatives or restart the 4-way handshake procedure to obtain new values. This decision typically depends on the configured timeout between EAPOL-Key messages and the time it takes for the RADIUS server to respond with the Access-Accept message.
• The remainder of the process follows the standard 4-way handshake. The AP installs the PTK, generates the GTK (if this is its first client), encrypts it with the PTK, and sends it in EAPOL-Key message 3.
• The final message, EAPOL-Key 4, is sent by the client to acknowledge the receipt and installation of the GTK.
  

This setup works well in controlled environments where the network administrator has a pre-populated list of all client MAC addresses. This scenario is common in enterprise networks where EAP is the primary authentication method, and MPSK-RADIUS is used to onboard IoT devices that do not support 802.1X.

However, a traditional MPSK-RADIUS setup is impractical in environments where the administrator has no control over the devices users bring to the network. A prime example is MDU networks, where the admin needs to manage a pool of PSKs that are not tied to a one-to-one mapping with specific MAC addresses. The system must allow users to authenticate with their assigned PSK, regardless of the MAC address of the device they are using to connect to the network.

MPSK with RADIUS systems offers a solution to the problem mentioned above. These solutions typically consist of multiple components that provide various services. Some of these components include:

• RADIUS server for authentication and accounting.
• Databases to manage pools of PSKs and PMKs.
• Captive portal services for user interaction and onboarding.
• SMS gateways to assist with new customer onboarding.
• User portal for customers to manage their subscriptions and change their passwords without requiring network admin intervention.

The workflow for an MPSK-RADIUS solution is similar to the traditional MPSK-RADIUS setup described above, with one key difference: instead of matching the MAC address of the authenticating client to a list of one-to-one MAC-to-PSK pairs, the system calculates the PTK and MIC for all PSKs in the pool and tests them against the MIC sent by the AP in EAPOL-Key message 2. When a match is found, the system forwards the corresponding PMK to the AP. Once the AP receives the PMK, it has two options:

• Create the GTK and build EAPOL-Key message 3: The AP generates the Group Temporal Key (GTK) if this is the first client or if a new GTK is needed. It then builds EAPOL-Key message 3, encrypts the GTK with the PTK, and sends it to the client.
• Restart the 4-way handshake: If the time spent waiting for the Access-Accept message with the PMK exceeds the timeout for the 4-way handshake, the AP will restart the handshake process. This ensures that fresh ANonce and SNonce values are used, allowing the process to complete successfully.
  

One major downside to the process described in the flowchart above is that every time a device roams to a new AP, it must undergo a full RADIUS authentication, which usually takes about one second. A roaming time of one second is unacceptable, as it can disrupt most Layer 3 (L3) connections. To address this, OpenWiFi enables PMKSA key caching for when the client re-roams back to the original AP and supports Fast Transition (FT) with MPSK-RADIUS or PSK-RADIUS when roaming to a new AP. The FT process can be summarized as follows:

• Client initiates the roaming process by scanning for the next best candidate AP.
• Client confirms FT support: The client checks whether the target AP supports Over-The-Air (OTA) or Distribution System (DS) FT transition roaming.
• For Over-The-Air (OTA) FT:
• Authentication exchange: The client and the target AP exchange FT Authentication frames. The client shares its SNonce, PMK ID, PMK-R0 ID, and Mobility Domain ID with the target AP. In return, the target AP provides its ANonce, PMK ID, PMK-R0 ID, PMK-R1 ID, and Mobility Domain ID.
• Association exchange: The client and the target AP exchange Association and Reassociation frames. In the Association frames, the client includes the same information as above, along with a MIC generated on the message payload. In the Reassociation frames, the target AP includes the same information plus the GTK.
• For Distribution System (DS) FT:
• Authentication exchange: The same information is exchanged in the Authentication frames as in OTA FT, but instead of being sent over the air, the data is embedded in an Action Frame sent to the current AP. The current AP forwards this frame over the distribution system to the target AP. The target AP replies to the client via the distribution system through the current AP.
• Association and Reassociation exchange: The Association and Reassociation frames remain unchanged, and the procedure follows the same steps as in the OTA case.

The packet capture screenshots below illustrate how PMKSA key caching and Over-The-Air (OTA) Fast Transition (FT) with MPSK-RADIUS reduce authentication time from approximately 1 second to around 50 milliseconds.

• Go to Settings -> About device -> Version, and tap on “Version number” 7 times, this should enable the developer mode.
  
  
  

• Go to Settings -> Additional settings -> Developer Options, and enable “USB debugging” and “OEM unlocking”.
  
  

• To communicate with the OnePlus phone we will need to install the command-line tool adb (Android Debug Bridge). On a MacOS this can be installed using HomeBrew.
  
  

firasshaari@MacBook-Pro-9 ~ % brew install android-platform-tools

• Connect the device to your laptop using a USB-C to USB-C or USB-C to USB-A cable. Now, you should be able to see your device listed under the connected devices.
  
  

firasshaari@MacBook-Pro-9 ~ % adb devices   
List of devices attached
76f80f11	device

• Reboot the device in the bootloader mode using the below command.
  
  

firasshaari@MacBook-Pro-9 ~ % adb reboot bootloader

• Now in the bootloader mode your device should have a similar screen to the photo below except, its bootloader is still in the locked state.
  
  

• Now using either one of the 2 commands listed below your phone will prompt you that you’re about to unlock the bootloader. Once you accept that, the device will reboot and a message stating that the device cannot be trusted and you will need to set up it again from scratch.
  
  

firasshaari@MacBook-Pro-9 ~ % fastboot oem unlock
firasshaari@MacBook-Pro-9 ~ % fastboot flashing unlock

• After setting up your device, we will need to install the Magisk APK to allow for super user access on the device. Download Magisk-v27.0.apk and push it your device’s SD card using the following command.
  
  

firasshaari@MacBook-Pro-9 Downloads % adb push Magisk-v27.0.apk /sdcard/Download/ 
Magisk-v27.0.apk: 1 file pushed, 0 skipped. 42.2 MB/s (12498796 bytes in 0.282s)

• Use the Files app on the device to install the Magisk APK. In my case you can see that the device is trying to update the already installed APK
  
  

• After installing the APK you should be greeted with a similar screen the one below. The only difference between my screenshot and yours will be that you haven’t installed Magisk yet.
  
  

• We will need to download a FW image for the OnePlus. Pay attenuation to your HW version, since they are different images for different regulatory domains. I found the FW images on this XDA forum post.
  • Download FWs images from XDA form
• I uploaded the North America images to my OneDrive. you can find them in the links below. In my case I used OxygenOS-CPH2583_14.0.0.404(EX01)A.57 image.
  • OxygenOS CPH2583_14.0.0.502(EX01) A.61 + OxygenOS CPH2583_14.0.0.502(EX01) A.61_Incremental
  • OxygenOS CPH2583_14.0.0.604(EX01)
  • OxygenOS-CPH2583_14.0.0.404(EX01)A.57
• Download the Payload Dumper and follow the installation steps in the ReadMe file. This will be used to extract the “init_boot.img” file from the FW image. In my case this version payload-dumper-go_1.2.2_darwin_amd64 worked on my 2023 MacBook Pro 14″.
• Copy the “init_boot.img” file to your device using the push command.
  
  

firasshaari@MacBook-Pro-9 ~ % adb push init_boot.img /sdcard/Download/

• Open Magisk on the device, click on the “Ramdisk” install and “Select and Patch a File” and select the “init_boot.img” file that we pushed to the device in the last step.
  
  

• Using the adb pull command, pull the generated patched “init_boot.img” file from your phone to your laptop.
  

firasshaari@MacBook-Pro-9 ~ % adb pull /sdcard/Download/magisk_patched-27000_Y3vcR.img

• Now reboot the device in the bootloader mode and flash the patched image.
  
  

firasshaari@MacBook-Pro-9 ~ % adb reboot bootloader
firasshaari@MacBook-Pro-9 ~ % fastboot flash init_boot magisk_patched-27000_Y3vcR.img

• Reboot the device and if all goes well Magisk should be installed and, at this point and you should have root access on the device. It can be seen in the example below how running iw commands fails at first but after acquiring root privileges using the su command the command is executed successfully.
  
  

firasshaari@MacBook-Pro-9 ~ % adb shell
OP595DL1:/ $ iw wlan info 
/system/bin/sh: iw: inaccessible or not found
127|OP595DL1:/ $ su
1|OP595DL1:/ # iw wlan0 info                                                                                                                                                                                                                                               
Interface wlan0
	ifindex 24
	wdev 0x1
	addr 8e:f1:ad:a1:a6:71
	ssid home
	type managed
	wiphy 0
	channel 36 (5180 MHz), width: 80 MHz, center1: 5210 MHz
	txpower 20.00 dBm
OP595DL1:/ # 

• To turn the OnePlus 12 into sniffer mode, execute the following commands on adb shell.

iw phy phy0 interface add mon0 type monitor 
ip link set wlan0 down 
ip link set mon0 up 
ip link set wlan0 down
iw dev mon0 set channel 36 
tcpdump -i mon0 -envvv 

Useful Links

• http://junsun.net/wordpress/2024/04/how-i-rooted-oneplus-12-with-magisk/
• https://topjohnwu.github.io/Magisk/install.html
• https://xdaforums.com/t/oneplus-12-rom-ota-boot-oxygen-os-repo-of-oxygen-os-builds.4657465/
• https://github.com/vm03/payload_dumper
• https://github.com/ssut/payload-dumper-go/releases
• https://github.com/topjohnwu/Magisk/releases/tag/v27.0

On the 10/08/2021 at around 2:00pm I passed the CWISA Certification exam with a score of 97%. I am excited as this the first step in my journey towards achieving the CWISE (Certified Wireless IoT Solution Expert) certification.

The 4th video in the series of the 802.11ax training videos. In this video I explain the difference between OFDM and OFDMA and introduce the concept of RUs in the 802.11ax standard

The 3rd video in the series of the 802.11ax training videos. In this video I explain the different types of PPDUs in the 802.11ax standard.

The 2nd installment in the series of the 802.11ax training videos. In this video I highlight most of the important differences between 802.11ac and 802.11ax.

Looking at the S11 and S21 parameters of dual band ANTs shows acceptable performance up to 6.7GHz. In the photos below 4 markers on the S21 parameter graph can be seen. MK1 was set to the beginning of the 2.4GHz band, MK2 was set at the beginning of the 5GHz band, MK3 was set at the last frequency in the 6GHz where the dual ANTs still gave acceptable levels of performance and finally MK4 was set at the end of the 6GHz band (7.2GHz) where the performance degraded by a factor of 6dB below the performance measured in the 5GHz band.

Note: For more info on the S-Parameters and what do they mean you. this page https://www.antenna-theory.com/definitions/sparameters.php gives a simple and clear explanation of the concept.

On the 23/02/2021 at around 10:00am I took on a 4 hours exam an attempt to achieve the iNARTE Spectrum Management Certification. The exam was challenging, I wouldn’t say it was difficult but, definitely it wasn’t an easy one. For anyone who might be interested in taking on the exam a good background in Electrical Engineering principles and a fair knowledge of HAM radio rules regulations and best practices will definitely be a big a help to clear this exam. Finally, you can check my certification by clicking on the link below.

The Hackrf is a small affordable SDR (software Defined Radio) that can operate in frequencies up to 6GHz with a channel bandwidth of 20MHz. This makes it an excellent choice when it comes to experimenting with WiFi. One of the few drawback of a Hckrf is the lack of amplification on the Tx side. In this experiment I was successful in amplifying the transmit signal of a Hackrf by 30dB using a Skyworks FEM ( Front-End Module).

GNU radio is used to generate an 64 tone OFDM signal which is forwarded to the Hackrf. I will be writing a detailed post on how to replicate this experiment in the future. For now I would like to share with my readers short videos showing the difference in Tx power with and without the a FEM.