Hello,

I've been working on setting up the iPSK Manager as described in the following link, written by @howon:

https://community.cisco.com/t5/security-documents/ipsk-identity-pre-shared-key-manager-portal-server-for-ise/ta-p/3904265#toc-hId-593855809

I work for a large enterprise ISP with fantastic support contracts with TAC, but TAC seems like they are unable to assist with this tool, hence why I am turning to the community forum for support. At least, the TAC engineer I received when I opened a case on iPSK issues has never heard of this tool, and they have not yet asked to look into it together.

My instance of ISE is a standalone node running 2.6.0.156 and it is NOT in production (yet).  Eventually I will be migrating my older ISE to this one, but until then, I wanted to explore iPSK.

While the guide covers a few different iPSK use-cases, I have not been able to get ANY of them to work. 

BYOD Self-Registration Portal

The BYOD self-registration portal is most appealing to me, so I will start here.  The problem I encountered during the setup of the BYOD portal is during the ISE configurtation of the Authorization Profile.  The table listed under this section specifies than an av-pair attribute is needed with a value that points to the URL of the portal, along with some other parameters, ie:

url-redirect=https://portal.authc.net:8443/index.php?portalId=b3a8fd37-eddb-4a2f-bf75-af255340c8fb&SessionIdValue&client_mac=ClientMacValue

However, when I enter the av-pair in my authorization profile following the same convention, ISE complains that it is in an invalid format and does not allow me to continue.  Example:

url-redirect=https://my-domain-name.net:8443/index.php?portalId=ef9efeac-aaab-4890-aa72-10d48ef89418&SessionIdValue&client_mac=ClientMacValue

ISE complains with a message: Unable to edit Authorization Profile (iPSK) : Format for url redirect : <url> isn't valid.

Here are the Attributes Details:

(Obviously, my-domain-name is replaced with my actual domain name).

And before the suggestion arise to use the ERS API to create the authorization profile automatically, that isn't working for me either.  I've enabled the ERS API, created the ers-operator and ers-admin users, and configured the iPSK Manager to use the ERS.  The iPSK Manager guide does not specify the format of the ERS API URL, so I have tried the following variants, for both the ers-admin and ers-operator user accounts:

• https://<ise-url>
• https://<ise-url>:9060
• https://<ise-url>:9060/ers

With each URL, I've tried to create a new portal, view the portal, and click the "Create ISE Authoriztation Profile" button. I fill out the profile name and description, hit validate, and then click "Create Authorization Profile". The profile never gets created in ISE, hence why I tried to do it manually.  I have verified that communication over port from the IPSK Manager to ISE on port 9060 works (telnet to ISE on 9060 from the iPSK manager host successfully connects).

Manual Creation via "IT Staff" portal

The problem I run into with this method is that the client device reports incorrect password.  ISE returns AUTH_SUCCESS, but the client still cannot join.  My WLC is a 8510 running 8.5.151.0.  Here are the av-pairs that the authorization profile is configured to use:

I am attempting to authenticate my client using the password that the iPSK Manager automatically generated for this client when I manually added the client via the iPSK Manager portal.  Here is the ISE log from the authentication attempt:

Despite returning Access-Accept, I cannot join the wireless network. The client shows "incorrect password" as the cause. The WLAN on the WLC is configured with Mac Filtering enabled, WPA2 PSK security, the ISE 2.6 server is enabled under AAA Authentication, RADIUS is the only mode used for authentication, AAA override is enabled, and NAC State is set to ISE NAC. The rest of the WLAN config is essentially default.

I would greatly appreciate any input or suggestions of things to try to get this working!