iPSK in a Anchor / Foreign WLC in a DMZ issue

craiglebutt · ‎11-17-2020

Hi

Having issue with iPSK in a Anchor / Foreign WLC in a DMZ

Codes are 8.5.160.

ISE 2.2 patch 17

The anchor is up and works.

Having issue getting the iPSK to work properly.

The WLAN is configured correctly for iPSK, I’ve added the Radius settings to the foreign WLC and test.

Client Laptop fails at the Foreign WLC, but the ISE shows passed but does not join the Anchor WLC.

The ISE is configured will allow and device that is in the iPSK-AltheaCloud endpoint group with the certain PSK and drop it on to the correct VLAN.

The client doesn’t break out on the Anchor WLC

I’ve added the Radius settings to the Anchor WLC and removed from the Foreign WLC.

The firewall configured to all DMZ>Internal – ISE_Group allowing all and vice versa

Added DNS setting to VLAN DNS Settings with FQDN.

Now if I put the PSK on the SSID on both WLCs it will work, which defeats the idea of having the iPSK.

ISE Log

Overview

Event 5200 Authentication succeeded

Username A4:34:D9:F9:10:82

Endpoint Id A4:34:D9:F9:10:82

Endpoint Profile Unknown

Authentication Policy IPSK_WLANNAME_DMZ >> MAB >> Default

Authorization Policy IPSK_WLANNAME_DMZ >> AltheaCloud

Authorization Result iPSK-AltheaCloud

Authentication Details

Source Timestamp 2020-11-17 14:34:37.163

Received Timestamp 2020-11-17 14:34:37.163

Policy Server companyiseise02

Event 5200 Authentication succeeded

Username A4:34:D9:F9:10:82

User Type Host

Endpoint Id A4:34:D9:F9:10:82

Calling Station Id a4-34-d9-f9-10-82

Endpoint Profile Unknown

Authentication Identity Store Internal Endpoints

Identity Group EP-iPSK-AltheaCloud

Audit Session Id 745f930a0012e49979dfb35f

Authentication Method mab

Authentication Protocol Lookup

Service Type Call Check

Network Device ***_Company8500

Device Type All Device Types#WLAN

Location All Locations#Company

NAS IPv4 Address 10.*.*.116

NAS Port Type Wireless - IEEE 802.11

Authorization Profile iPSK-AltheaCloud

Response Time 14 milliseconds

Other Attributes

ConfigVersionId 80

DestinationPort 1812

Protocol Radius

NAS-Port 8

Framed-MTU 1300

Acct-Session-Id 5fb3df79/a4:34:d9:f9:10:82/1310719

Tunnel-Type (tag=0) VLAN

Tunnel-Medium-Type (tag=0) 802

Tunnel-Private-Group-ID (tag=0) 680

Airespace-Wlan-Id 2

OriginalUserName a434d9f91082

NetworkDeviceProfileName Cisco

NetworkDeviceProfileId 719fd2de-e608-47ea-bc4d-37740b78ea38

IsThirdPartyDeviceFlow false

RadiusFlowType WirelessMAB

SSID d0-72-dc-bd-e2-c0:WLANNAME

AcsSessionID companyiseise02/391266711/2464429

UseCase Host Lookup

SelectedAuthenticationIdentityStores Internal Endpoints

AuthenticationStatus AuthenticationPassed

IdentityPolicyMatchedRule Default85c97c67-a9f8-40b7-9055-15fd2f7091e8

AuthorizationPolicyMatchedRule AltheaCloud

CPMSessionID 745f930a0012e49979dfb35f

EndPointMACAddress A4-34-D9-F9-10-82

ISEPolicySetName IPSK_WLANNAME_DMZ

AllowedProtocolMatchedRule MAB

IdentitySelectionMatchedRule Default

DTLSSupport Unknown

HostIdentityGroup Endpoint Identity Groups:EP-iPSK-AltheaCloud

Model Name WLC8510

Location Location#All Locations#Company

Device Type Device Type#All Device Types#WLAN

Network Device Profile Cisco

RADIUS Username A4:34:D9:F9:10:82

NAS-Identifier Company8500WLC

Device IP Address 10.*.*.116

Called-Station-ID d0-72-dc-bd-e2-c0:WLANNAME

CiscoAVPair audit-session-id=745f930a0012e49979dfb35f, mDNS=true

Result

UserName A4:34:D9:F9:10:82

User-Name A4-34-D9-F9-10-82

State ReauthSession:745f930a0012e49979dfb35f

Class CACS:745f930a0012e49979dfb35f:companyiseise02/391266711/2464429

Tunnel-Type (tag=1) VLAN

Tunnel-Medium-Type (tag=1) 802

Tunnel-Private-Group-ID (tag=1) 603

cisco-av-pair psk=mode=ascii

cisco-av-pair psk=OESB**ThePSKiscorrect****

cisco-av-pair profile-name=Unknown

DoNotSuppress true

LicenseTypes Base license consumed

Greg Gibbs · ‎11-17-2020

With any PSK SSID (including iPSK) Authentication is handled solely by the WLC. ISE is only performing Authorization for the session. The ISE logs showing 'Authentication Succeeded' is expected for PSK+RADIUS even though ISE was not involved in the AuthC.

With a Foreign/Anchor WLC setup, the following needs to be considered:

The SSID configuration needs to be identical on both the Foreign/Anchor controllers
The L2/RADIUS communications are solely between the RADIUS server (ISE) and the Foreign WLC. The Anchor WLC is only involved in L3 communications like URL Redirection
Any Airespace ACLs used in AuthZ Profiles must be configured on both the Foreign/Anchor controllers

I'm not sure I understand your comment "Now if I put the PSK on the SSID on both WLCs it will work, which defeats the idea of having the iPSK."

The purpose of using iPSK is to provide differentiated AuthZ for PSK endpoints on the same SSID using different PSKs. Prior to iPSK, the only way to provide differentiated AuthZ for PSK endpoints was to use different SSIDs which resulted in SSID sprawl and RF concerns. See the following docs for related information:

8.5 Identity PSK Feature Deployment Guide

Identity Pre-Shared Key (IPSK) and Mobility Anchor

Cisco Guest Access Using WLC with Anchor setup – Release 7.0 (Open SSID for Guest, but includes steps for Foreign/Anchor setup)

craiglebutt · ‎11-18-2020

Hi

The company has received the ISO27001 moving forward, they want to keep all devices that require internet access for 3rd party's off the corporate WLAN, so they break out on the DMZ.

Each company will get it's own VLAN with certain size subnet and PSK. There MAC addresses added to Endpoint group in ISE

Except for the interface the SSID is identical the config is identical as worked is when I added the PSK to match what is in the ISE authorization rule.