topic Re: Per-Device Identity PSK in Network Access Control

Per-Device Identity PSK

Jonathan Grim — Wed, 28 Mar 2018 21:52:15 GMT

Is there a recommended ISE configuration for per-device Identity PSK at large scale?

I'm working on a wireless ISE design. It will entail numerous consumer and IoT devices in a university setting. The consumer and IoT devices are managed by individuals, not centrally. An individual might have multiple devices.

If a recommended configuration doesn't exist, I spot-tested the following configuration in my lab:

For the endpoint, create a custom attribute for the device's PSK. (psk=<unique key>)
Create a new Authorization Profile.
Within the Authorization Profile, create two advanced attributes:
1. Cisco:cisco-av-pair = psk-mode=ascii
2. Cisco:cisco-av-pair = Endpoints:<custom endpoint attribute>
Create a new Authorization Policy with appropriate match conditions.
Assign newly created Authorization Profile as the result.

The university would have to create a custom device registration portal. The portal would generate one unique PSK for the student, and register the MAC address of the IoT device. The ISE ERS API could be used to bulk create/update the endpoints on ISE as a scheduled job.

Re: Per-Device Identity PSK

hslai — Thu, 29 Mar 2018 04:42:12 GMT

ISE 2.2+ is supporting custom endpoint attributes in authorization profiles. What you have is pretty much the same as recommended.

Please note a know issue -- CSCvd40908

Re: Per-Device Identity PSK

Jason Kunst — Thu, 29 Mar 2018 15:17:53 GMT

Very nice, if you have anymore information on how you setup your controller, some screenshots and more detail to share that will help others!

Re: Per-Device Identity PSK

Jonathan Grim — Thu, 29 Mar 2018 18:16:24 GMT

I can certainly add screen shots of WLC and ISE.

Quick question... In My Devices Portal, is there a way to add custom fields to the portal, and link it to an endpoint custom attribute? Thanks!

Re: Per-Device Identity PSK

Jason Kunst — Thu, 29 Mar 2018 18:18:15 GMT

There is not, please reach out thru sales channel to our PM that is covering this feature, his name is Ameet Kulkarni

Re: Per-Device Identity PSK

Craig Hyps — Fri, 30 Mar 2018 14:10:27 GMT

Yes, that is the method we tested internally using custom attribute. I can share config used, but it is essentially what is shown above.

There is no option with current My Devices to populate custom attributes. We are well aware of the potential but cannot discuss roadmap in this forum. Customers/account team can reach out directly to account team to solicit additional details. It is certainly possible to customize custom attributes using ERS API, either directly or part of a custom portal to populate the required values per endpoint. We have other customers doing this already.

Re: Per-Device Identity PSK

prashantk — Wed, 01 Aug 2018 06:39:24 GMT

Pls share the more details document for configuration of per user/per device conf.

so that we can configure it, in our network as well.

Its a nice option.

Re: Per-Device Identity PSK

Craig Hyps — Wed, 01 Aug 2018 08:58:01 GMT

Snippet of config is shared in BRKSEC-3697 session from Cisco Live here.

We also received Community post with sample config details here.