35

Is there a way to provide user-specific passwords for Wi-Fi, so that different users have different passwords?

I'd like to provide each user with a different password for my Wi-Fi connection.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
john
  • 353
  • 1
  • 3
  • 4
  • 8
    If you have decent business class wifi and an appropriate infrastructure then you may be able to configure your wireless access points to support RADIUS authentication back to whatever central authentication service you use. If not, throw them out and get real ones. – Rob Moir Dec 02 '14 at 08:44
  • Radius authentication is the only way to do like this? – john Dec 02 '14 at 08:47
  • It's the only "proper" way of doing things that I'm aware of, which isn't to say that its the only proper way of doing things, or that there isn't some wireless access point out there that supports creating as many SSIDs as you have users in order to assign them all their own password, or some other similar hack. – Rob Moir Dec 02 '14 at 08:49
  • I know that several domestic router models allow for this, but it's more like a gimmick than a full feature. – AStopher Dec 02 '14 at 14:49
  • @cybermonkey, can you share the details of those domestic router models? – boardrider Oct 18 '18 at 21:42

4 Answers4

38

What you need is WPA-2 Enterprise, combined with a RADIUS server for authenticating users.

If you have an existing Active Directory infrastructure, then you can use the Network Policy Server role in Windows to do the authentication and allow users to log on with their AD username/password.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • How would I set this up in a shared house that I was renting to 6 people? E.g. I just need 7 log-ons but at little cost or effort. – Ian Ringrose Dec 02 '14 at 16:26
  • In this case you can't. – drookie Dec 02 '14 at 17:27
  • @IanRingrose If you had a dedicated machine on the network to act as your server, then it's perfectly possible. There is software available to setup your RADIUS server, such as the popular [FreeRADIUS](http://freeradius.org/download.html). – Thebluefish Dec 02 '14 at 18:40
  • 5
    @IanRingrose what I do is base the security around specific MAC addresses of people's devices, not around the people themselves. They all have the same wifi password, but it is only useful if their MAC is whitelisted. Also all the usage and security rules are based on these MACs. It is not secure enough for business setting, since MAC addresses can be changed and relatively easy spoofed, but in home setting it's a low risk, since people are unlikely to hunt for each other MAC addresses and spoof them and a random MAC address is not useful. – Andrew Savinykh Dec 02 '14 at 21:29
  • @Thebluefish, I don't indent to have a network with machines!, just one to do with Wi-Fi – Ian Ringrose Dec 02 '14 at 22:39
  • Something like cloudessa (cloud based radius) might satisfy "easy", but less so on "cheap" (definitely not "free"). – Tom Newton Dec 03 '14 at 06:43
  • 2
    With a raspberry pi running `hostapd` and `openldap`? – Tom O'Connor Dec 03 '14 at 14:31
  • You can set up a $30 AP to run dd-wrt with WPA2-Enterprise, RADIUS authenticator & RADIUS server completely standalone. There's nothing AD specific about this. E.g. http://www.matrix44.net/blog/wp-content/uploads/2014/05/DD-WRT-WPA2-Enterprise.pdf – conny Dec 03 '14 at 16:00
  • Is WPA-2 Enterprise the same as 802.11X? – Foxocube Dec 16 '14 at 01:22
  • @CyberJacob - no. 802.1x and WPA2-Ent have a lot of similarities and can use a lot of the same infrastructure (same RADIUS server, etc), but they are still different. – Mark Henderson Dec 16 '14 at 03:50
16

Another possible solution is to set up multiple SSIDs and provide separate passwords for each one. It's not as elegant as having multiple passwords for the same SSID, but it would accomplish the same thing and would be easy to manage if your router supports multiple SSIDs.

One such router is Asus' RT line of consumer-level dual-band routers (I have the RT-AC66U) which supports up to three "Guest SSIDs" per band in addition to the main SSIDs. Each can have its own authentication and access policies. This even allows you to track usage time for each guest SSID.

Because most people aren't able to access the 5GHz band just yet, you would likely need 2 of these routers to provide enough 2.4GHz access points to do what you want for 7 people, but these routers can easily be configured as "AP-Only" mode so you can chain them together.

Alternate firmware may be able to handle more SSIDs, although I can't confirm that at the moment.

nullability
  • 213
  • 1
  • 9
8

I would answer your question with another question...what do you hope to gain by having each user connect using a different password? The exercise seems somewhat pointless to me unless you're also hoping to attach some sort of network policies to the different credentials that you didn't mention in your original question.

Other respondents are correct, WPA-Enterprise coupled with a RADIUS server would be the proper way to accomplish this, but that is probably out of scope for what you are trying to accomplish.

If your desire to use different usernames is to be able to control access for different users without affecting other users, you might be able to use MAC address filtering instead. MAC filtering is by no means foolproof, but it would have the added benefit of preventing password sharing amongst users.

Another option is to move all of this out of the WiFi scope and further into the network. You could consider using a single WiFi password and using a captive portal upstream in the network to perform a second level of authentication. This could be accomplished with something like m0n0wall (http://m0n0.ch/wall/) relatively easily.

vrtigo1
  • 861
  • 3
  • 10
  • 17
  • 11
    What one might hope to achieve: deny access to a user you no longer trust, without having to change the password for the 99 remaining users you still want to allow. – RomanSt Dec 02 '14 at 22:41
  • 1
    +1 for the captive portal. That may be a very efficient way of doing this on consumer wifi. – Mark Henderson Dec 03 '14 at 01:44
  • 1
    That's how they do it in most hotels I have been to. – Martin Argerami Dec 03 '14 at 08:42
  • The captive portal is something to consider. However, note that captive portals usually authenticate by the MAC address once you are logged in, so this is just a more sophisticated way of setting up MAC filtering. – sleske Dec 03 '14 at 08:45
1

You need a RADIUS server! But today, even small home routers have enough power to allow this. I have a Asus RT-N65U and a Asus RT-N56U at my parents house with custom firmware and FreeRadius2. You do need some Linux knowledge to set it up! The router allows to set a RADIUS server in the web interface. After you set one up, you just enter localhost there!

Josef
  • 381
  • 3
  • 9