cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1502
Views
1
Helpful
8
Replies
Highlighted
Advocate

Identity PSK Questions

Team,

I have a customer that is looking to reduce the number of SSIDs and create some control around their PSK networks. The customer's network is an educational network (university) that hosts many networks across many different endpoints (around 80k). The client is looking at IPSK but were under the assumption that it would operate much like the Ruckus' iteration of DPSK, however that isnt the case.

We looked at many options and it seems as if the av-attribute doesnt allow you to reference a dynamic condition such as an AD attribute. The goal of the solution that i have in mind is to create a policy that references the AD attribute and have users register their device through the device registration portal, but echo back the client's AD attribute that is unique to them as their PSK. Zero touch is preferred but device registration is acceptable.

Is there a feature request or a solution that someone could walk me through, the goal of this exercise is to reduce the risk of the PSK and also reduce the number of ISE authorization profiles/policies to create in order to support this.

Thanks,

Tarik A.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Right now the closet to integration we have is the following. We are working on a More integrated approac but can’t discuss futures here in the forum. Please get your use case and opportunity info to the ISE product management team thru the sales channel

https://communities.cisco.com/docs/DOC-77607


We will also evaluate what you have here to see if there is an approach with AD but right now but I don’t understand how you are seeing this work

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Right now the closet to integration we have is the following. We are working on a More integrated approac but can’t discuss futures here in the forum. Please get your use case and opportunity info to the ISE product management team thru the sales channel

https://communities.cisco.com/docs/DOC-77607


We will also evaluate what you have here to see if there is an approach with AD but right now but I don’t understand how you are seeing this work

View solution in original post

Highlighted

Thanks for the response Jason, much like the workflow and authentication policy when checking the SAN attribute for ISE provisioned certificates (where SAN=Calling-station-id), i was hoping for an authorization profile that can provide a dynamic attribute versus static attribute where the ascii value can be an attribute in AD. Here is the video that shows an example of authentication work flow -

Dynamic Attribute with ISE: MAC Address Matching

basically looking for this return attribute -

cisco-av-pair=psk=$ADattributevalue

Highlighted

like something like this?

BRKSEC-3699.jpg

Highlighted

Yes sir, thats what i am looking for.

Highlighted

Let me know if this works out for you maybe we can share some knowledge

Highlighted

Sorry, that is the model i am looking for, I guess we will need to lab this out and see what we can come up with. I looked at the document you provided, is there a way where we can leverage API integration so that when a device registers through an external API that the description can be leveraged much like the example you brought up?

Device registers using an external API integration + ISE then create a random attribute and injects that inside the custom attribute we create for the endpoint?

Thanks,

Tarik A.

Highlighted

Yes you should be able to do that with api integration

Highlighted

Jason,

So far so good, we are able to send the custom attribute with the API and even update existing records or create new ones. The customer is working on their end to code the webtop but this looks very similar to the DPSK feature that we were looking for.

Once we get it final, we can sync up and share notes.

Thanks.

Tarik A.

Content for Community-Ad