Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2118
Views
15
Helpful
5
Replies

Wireless guest with OTP

Go to solution
StefC
Level 1
Level 1

‎02-04-2019 10:13 PM

Hi,

 

Sales guy has told the customer that a guest SSID can be configured that allows the following process:

  1. Receptionist has bits of paper with uniquely generated PSKs
  2. The PSKs have two types of expiry that begins on first use; 4 hours, 3 months. Generated PSKs are associated to groups with the relevant expiry set.
  3. Guest enters PSK to auth and the expiry timer begins.

Devices involved are WLC and ISE. New deployment so latest software.

 

Is this possible and if so, could you point me to some config docs?  Haven't been able to find anything.

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-05-2019 04:14 AM

There is no way to create iPsk on the fly for 3 hour. This would be a simple sponsored guest account. The document shared before was the only documented iPsk offering. You might be able to do your own flow using api and your own created sponsor portal

Can you tell us why using iPsk for guest users? Mainly it’s used for iot devices.

If they want encrypted they could use wpa-psk + CWA plus sponsored guest accounts

OR use dot1x with guest accounts


View solution in original post

5 Replies 5

Go to solution
Jurgens L
Level 3
Level 3

‎02-04-2019 10:55 PM

Hi Stef,

You will need to create guest types first, one for the 3 hours period and one for the 4 months period.

You can then either generate random guest accounts and link them to the respective guest types accordingly or you can import the accounts via a csv template you can download from ISE.

Find document below to deploy the options I’ve mentioned.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/sponsor_guide/b_spons_SponsorPortlUserGuide_22/b_spons_SponsorPortlUserGuide_22_chapter_01.pdf



<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

Go to solution
StefC
Level 1
Level 1
In response to Jurgens L

‎02-04-2019 11:41 PM

Thanks Jurgens.
I see what you mean about Guest Types.
So is it only possible with username/password? Not with a list of pre-shared keys along the lines of Identity PSK?
0 Helpful

Go to solution
Jurgens L
Level 3
Level 3
In response to StefC

‎02-05-2019 12:38 AM

Hi Stef,

If you don’t worry about a guest portal then yes IPSK will suite your solution. You will need to setup your policies on the ISE and on the WLC, on the WLC you will be able to specify the period you want this policy to be available.

Check this IPSK guide below, in this document they focus more on IOT so they lock MAC addresses to the Authorization policy. As you want to use this for guest, you don’t need to worry about that, rather lock it down to your SSID by using the RADIUS:Called-Station-ID

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html



<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>


Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-05-2019 04:14 AM

There is no way to create iPsk on the fly for 3 hour. This would be a simple sponsored guest account. The document shared before was the only documented iPsk offering. You might be able to do your own flow using api and your own created sponsor portal

Can you tell us why using iPsk for guest users? Mainly it’s used for iot devices.

If they want encrypted they could use wpa-psk + CWA plus sponsored guest accounts

OR use dot1x with guest accounts


Go to solution
StefC
Level 1
Level 1
In response to Jason Kunst

‎02-05-2019 06:21 PM

Thanks for the help everyone.
It's the solution the client wants despite the technical advice saying that it cannot be done and sales saying yes.
The client doesn't want portals and username/pass but a pile of preshared keys they can hand out. Some that last 4 hours, some that last 3 months. I know how IPSK is configured but it was the only option I could think of for getting multiple different PSKs.
I was looking for confirmation on whether it can or cannot be done and now that I have it, sales can deal with the fallout.....
Thanks again.
0 Helpful
Top