Solved: Re: Wireless guest with OTP

StefC · ‎02-04-2019

Hi,

Sales guy has told the customer that a guest SSID can be configured that allows the following process:

Receptionist has bits of paper with uniquely generated PSKs
The PSKs have two types of expiry that begins on first use; 4 hours, 3 months. Generated PSKs are associated to groups with the relevant expiry set.
Guest enters PSK to auth and the expiry timer begins.

Devices involved are WLC and ISE. New deployment so latest software.

Is this possible and if so, could you point me to some config docs? Haven't been able to find anything.

Thanks.

Jason Kunst · ‎02-05-2019

There is no way to create iPsk on the fly for 3 hour. This would be a simple sponsored guest account. The document shared before was the only documented iPsk offering. You might be able to do your own flow using api and your own created sponsor portal

Can you tell us why using iPsk for guest users? Mainly it’s used for iot devices.

If they want encrypted they could use wpa-psk + CWA plus sponsored guest accounts

OR use dot1x with guest accounts

View solution in original post

Jurgens L · ‎02-04-2019

Hi Stef,

You will need to create guest types first, one for the 3 hours period and one for the 4 months period.

You can then either generate random guest accounts and link them to the respective guest types accordingly or you can import the accounts via a csv template you can download from ISE.

Find document below to deploy the options I’ve mentioned.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/sponsor_guide/b_spons_SponsorPortlUserGuide_22/b_spons_SponsorPortlUserGuide_22_chapter_01.pdf

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

StefC · ‎02-04-2019

Thanks Jurgens.
I see what you mean about Guest Types.
So is it only possible with username/password? Not with a list of pre-shared keys along the lines of Identity PSK?

Jurgens L · ‎02-05-2019

Hi Stef,

If you don’t worry about a guest portal then yes IPSK will suite your solution. You will need to setup your policies on the ISE and on the WLC, on the WLC you will be able to specify the period you want this policy to be available.

Check this IPSK guide below, in this document they focus more on IOT so they lock MAC addresses to the Authorization policy. As you want to use this for guest, you don’t need to worry about that, rather lock it down to your SSID by using the RADIUS:Called-Station-ID

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

Jason Kunst · ‎02-05-2019

There is no way to create iPsk on the fly for 3 hour. This would be a simple sponsored guest account. The document shared before was the only documented iPsk offering. You might be able to do your own flow using api and your own created sponsor portal

Can you tell us why using iPsk for guest users? Mainly it’s used for iot devices.

If they want encrypted they could use wpa-psk + CWA plus sponsored guest accounts

OR use dot1x with guest accounts

StefC · ‎02-05-2019

Thanks for the help everyone.
It's the solution the client wants despite the technical advice saying that it cannot be done and sales saying yes.
The client doesn't want portals and username/pass but a pile of preshared keys they can hand out. Some that last 4 hours, some that last 3 months. I know how IPSK is configured but it was the only option I could think of for getting multiple different PSKs.
I was looking for confirmation on whether it can or cannot be done and now that I have it, sales can deal with the fallout.....
Thanks again.