11-17-2020 07:01 AM
Hi
Having issue with iPSK in a Anchor / Foreign WLC in a DMZ
Codes are 8.5.160.
ISE 2.2 patch 17
The anchor is up and works.
Having issue getting the iPSK to work properly.
The WLAN is configured correctly for iPSK, I’ve added the Radius settings to the foreign WLC and test.
Client Laptop fails at the Foreign WLC, but the ISE shows passed but does not join the Anchor WLC.
The ISE is configured will allow and device that is in the iPSK-AltheaCloud endpoint group with the certain PSK and drop it on to the correct VLAN.
The client doesn’t break out on the Anchor WLC
I’ve added the Radius settings to the Anchor WLC and removed from the Foreign WLC.
The firewall configured to all DMZ>Internal – ISE_Group allowing all and vice versa
Added DNS setting to VLAN DNS Settings with FQDN.
Now if I put the PSK on the SSID on both WLCs it will work, which defeats the idea of having the iPSK.
ISE Log
Overview
Event 5200 Authentication succeeded
Username A4:34:D9:F9:10:82
Endpoint Id A4:34:D9:F9:10:82
Endpoint Profile Unknown
Authentication Policy IPSK_WLANNAME_DMZ >> MAB >> Default
Authorization Policy IPSK_WLANNAME_DMZ >> AltheaCloud
Authorization Result iPSK-AltheaCloud
Authentication Details
Source Timestamp 2020-11-17 14:34:37.163
Received Timestamp 2020-11-17 14:34:37.163
Policy Server companyiseise02
Event 5200 Authentication succeeded
Username A4:34:D9:F9:10:82
User Type Host
Endpoint Id A4:34:D9:F9:10:82
Calling Station Id a4-34-d9-f9-10-82
Endpoint Profile Unknown
Authentication Identity Store Internal Endpoints
Identity Group EP-iPSK-AltheaCloud
Audit Session Id 745f930a0012e49979dfb35f
Authentication Method mab
Authentication Protocol Lookup
Service Type Call Check
Network Device ***_Company8500
Device Type All Device Types#WLAN
Location All Locations#Company
NAS IPv4 Address 10.*.*.116
NAS Port Type Wireless - IEEE 802.11
Authorization Profile iPSK-AltheaCloud
Response Time 14 milliseconds
Other Attributes
ConfigVersionId 80
DestinationPort 1812
Protocol Radius
NAS-Port 8
Framed-MTU 1300
Acct-Session-Id 5fb3df79/a4:34:d9:f9:10:82/1310719
Tunnel-Type (tag=0) VLAN
Tunnel-Medium-Type (tag=0) 802
Tunnel-Private-Group-ID (tag=0) 680
Airespace-Wlan-Id 2
OriginalUserName a434d9f91082
NetworkDeviceProfileName Cisco
NetworkDeviceProfileId 719fd2de-e608-47ea-bc4d-37740b78ea38
IsThirdPartyDeviceFlow false
RadiusFlowType WirelessMAB
SSID d0-72-dc-bd-e2-c0:WLANNAME
AcsSessionID companyiseise02/391266711/2464429
UseCase Host Lookup
SelectedAuthenticationIdentityStores Internal Endpoints
AuthenticationStatus AuthenticationPassed
IdentityPolicyMatchedRule Default85c97c67-a9f8-40b7-9055-15fd2f7091e8
AuthorizationPolicyMatchedRule AltheaCloud
CPMSessionID 745f930a0012e49979dfb35f
EndPointMACAddress A4-34-D9-F9-10-82
ISEPolicySetName IPSK_WLANNAME_DMZ
AllowedProtocolMatchedRule MAB
IdentitySelectionMatchedRule Default
DTLSSupport Unknown
HostIdentityGroup Endpoint Identity Groups:EP-iPSK-AltheaCloud
Model Name WLC8510
Location Location#All Locations#Company
Device Type Device Type#All Device Types#WLAN
Network Device Profile Cisco
RADIUS Username A4:34:D9:F9:10:82
NAS-Identifier Company8500WLC
Device IP Address 10.*.*.116
Called-Station-ID d0-72-dc-bd-e2-c0:WLANNAME
CiscoAVPair audit-session-id=745f930a0012e49979dfb35f, mDNS=true
Result
UserName A4:34:D9:F9:10:82
User-Name A4-34-D9-F9-10-82
State ReauthSession:745f930a0012e49979dfb35f
Class CACS:745f930a0012e49979dfb35f:companyiseise02/391266711/2464429
Tunnel-Type (tag=1) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Private-Group-ID (tag=1) 603
cisco-av-pair psk=mode=ascii
cisco-av-pair psk=OESB**ThePSKiscorrect****
cisco-av-pair profile-name=Unknown
DoNotSuppress true
LicenseTypes Base license consumed
11-17-2020 02:45 PM
With any PSK SSID (including iPSK) Authentication is handled solely by the WLC. ISE is only performing Authorization for the session. The ISE logs showing 'Authentication Succeeded' is expected for PSK+RADIUS even though ISE was not involved in the AuthC.
With a Foreign/Anchor WLC setup, the following needs to be considered:
I'm not sure I understand your comment "Now if I put the PSK on the SSID on both WLCs it will work, which defeats the idea of having the iPSK."
The purpose of using iPSK is to provide differentiated AuthZ for PSK endpoints on the same SSID using different PSKs. Prior to iPSK, the only way to provide differentiated AuthZ for PSK endpoints was to use different SSIDs which resulted in SSID sprawl and RF concerns. See the following docs for related information:
8.5 Identity PSK Feature Deployment Guide
Identity Pre-Shared Key (IPSK) and Mobility Anchor
Cisco Guest Access Using WLC with Anchor setup – Release 7.0 (Open SSID for Guest, but includes steps for Foreign/Anchor setup)
11-18-2020 12:20 AM
Hi
The company has received the ISO27001 moving forward, they want to keep all devices that require internet access for 3rd party's off the corporate WLAN, so they break out on the DMZ.
Each company will get it's own VLAN with certain size subnet and PSK. There MAC addresses added to Endpoint group in ISE
Except for the interface the SSID is identical the config is identical as worked is when I added the PSK to match what is in the ISE authorization rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide