cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ISE & WLC - WPA2-PSK WLAN: Per-Device Passphrase (IPSK)

9814
Views
13
Helpful
7
Comments

This document describes how Cisco ISE and the Identity PSK feature on the Cisco WLC can support a unique passphrase for each device on a WPA2-PSK WLAN.  To date, Identity PSK implementation guides focused on singular authorization policies; ISE endpoint identity groups for dynamic (device profiling) or static classification of wireless devices.

 

Identity PSK

 

To learn about Identity PSK, its benefits, and how to configure the Cisco WLC; please read the AireOS 8.5 Identity PSK Feature Deployment Guide.

 

Identity PSK requires the wireless client's MAC address to be registered or profiled on the ISE server.  WLAN association enforcement occurs on the WLC by comparing the client provided passphrase to the passphrase returned as an attribute-value response from the ISE server.  Cisco ISE can send additional controls to the WLC in the response, such as VLAN ID, TrustSec SGT, and AireOS ACL name.

 

 

Use Cases

 

Why use per-device passphrases instead of shared passphrases?  For many environments, the grouping of devices into endpoint identity groups and using a group passphrase simplifies operations, but the following use cases may benefit from per-device passphrases:

 

  • Higher-Education
    • Student Dormitory - Video Game Consoles, Digital Personal Assistants
    • Classroom - Audio/Video Equipment, IoT Devices
    • Building Management Systems
  • Healthcare
    • Personal Biomedical Devices
    • Long-term Care - Video Game Consoles, Audio/Video Equipment
    • Encrypted Guest Internet Service
  • Manufacturing
    • Temporary Field Technician Access

 

 

Solution Elements

 

  • WLC - AireOS 8.5 or newer
    • Identity PSK feature introduced in AireOS 8.5.
  • RADIUS - Identity Services Engine 2.3 or newer
    • Evaluation of endpoint custom attributes within the RADIUS authorization profile introduced in ISE 2.3.

 

 

ISE Configuration Instructions

 

Endpoint Customization

  1. Open the Endpoint Custom Attributes page

    • Click on the Top Menu:  Administration > Identity Management > Settings

    • Click on the Left Menu:  Endpoint Custom Attributes

  2. Create a new Custom Attribute

    • This will create a new endpoint variable, used for the passphrase in the ISE database.

    • The example utilizes a custom attribute named: iPSK:

    • Be certain to cast the custom attribute as type "string."

  3. Register the wireless endpoint using the ISE GUI

    • Click on the Top Menu:  Context Visibility > Endpoints

    • Click on the "Plus Sign"

  4. Input the endpoint's MAC address, then click Save.

  5. Assign a passphrase to an endpoint.
    • Click on the newly created endpoint.
  6. Edit the endpoint
  7. Under the Custom Attribute section, add a passphrase to the endpoint.  Prepend the passphrase with "psk=". The example utilizes "stacie12345" as the passphrase, and "psk=stacie12345" as the required response to the WLC:

 

RADIUS Authorization Profile

  1. Locate the RADIUS Authorization Profiles
    • Click on the Top Menu:  Policy > Policy Elements > Results
    • Click on the Left Menu:  Authorization > Authorization Profile
  2. Create a new RADIUS Authorization Profile
    • Click:  Add
    • Name the policy.  The example uses the name: IdentityPSK
  3. Expand the Custom Attributes section.
  4. Create the first required response.  This instructs the WLC to look for a ASCII passphrase.
    • In the left-hand dropdown, search for: cisco-av-pair
    • Select: cisco-av-pair--[1]
    • In the right-hand dropdown, enter the following: psk-mode=ascii
  5. Create the second required response.  This returns the endpoint passphrase created in previous section.
    • In the left-hand dropdown, search for: cisco-av-pair
    • Select: cisco-av-pair--[1]
    • In the right-hand dropdown, select: EndPoints.  Then select the custom endpoint attribute you created in the previous section.  The example uses "iPSK" as the custom endpoint attribute:
  6. Save the Authorization Profile.

 

RADIUS Authorization Policy

  1. Open the RADIUS Policy Set
    • Click:  Policy > Policy Set
    • Select the Policy Set used for wireless authentication and authorization.
  2. Expand the Authorization Policy
  3. Create a new Authorization Policy
    • Click on the "Plus Sign"
    • Provide a meaningful rule name.
    • Configure the match condition.  The example utilizes the SSID name as the match condition:
  4. Assign the newly created Authorization Profile as the RADIUS Result Profile.
  5. Save the Authorization Profile

 

 

Device Self-Registration

 

Access to the endpoint passphrase attribute via the Device Registration Portal on ISE is not supported.

 

To provide device self-registration, a custom web portal can be created - external to Cisco ISE.  Cisco ISE provides a RESTful API, which can be used by the custom web portal to register a device and its unique passphrase using API calls.

 

Developing a custom web portal is outside the scope of this document.  For more information regarding the Extensible RESTful Services (ERS) for Cisco ISE, please read about it here.

 

 

Comments
Cisco Employee

Just to confirm, are you saying that the minimum OS version for ISE  has to be 2.3 in order to run IPSK?

Cisco Employee

 

As a reminder, this is a special use case.  Please review the AireOS 8.5 Identity PSK Feature Deployment Guide for guidance on typical use.  When used in this manner, there isn't a version requirement for Cisco ISE.  As a reminder, Identity PSK on the WLC integrates with most RADIUS servers, not just Cisco ISE.

 

This article requires Cisco ISE 2.3 or newer is to accomplish the special use case: Per-Device PSK.  Cisco ISE 2.3 added the capability build a dynamic RADIUS AVP response using a variable (endpoint custom attribute).  This simplifies our RADIUS authorization policies.  Without it, we would have to create an authorization policy per-endpoint.

Cisco Employee

 ... Cisco ISE 2.3 added the capability build a dynamic RADIUS AVP response using a variable (endpoint custom attribute).  This simplifies our RADIUS authorization policies. ...

The custom attributes for internal endpoints are there since ISE 2.1. It appears working fine with an authorization profile with an endpoint custom attribute assigned to Cisco AVP, when I tried it with ISE 2.2 Patch 9.

 

Cisco Employee

Thanks to you both for your quick feedback and clarification! Creating  a policy or even an authZ rule for every every endpoint would be very impractical and tough to manage especially for large customers. Glad to hear that ISE 2.3 can do this dynamically. via RADIUS AVP response.

Cisco Employee

Another question. Has IPSK been tested with ISE 2.4? If not, is there any plans to test it with ISE 2.4?

Cisco Employee

Is iPSK supported for an AP running in FlexConnect mode/ local switching/ central authentication?

Cisco Employee

@kahsieh as mentioned in the beginning its for 2.3 and higher. For iPSK support you should check with the wireless team, however you can also see this information:

According to 8.8mr1 RN Flex + iPSK + p2p blocking is supported:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn88mr1.html#ipsk-flex-mode-p2p-block