This document describes how Cisco ISE and the Identity PSK feature on the Cisco WLC can support a unique passphrase for each device on a WPA2-PSK WLAN.  To date, Identity PSK implementation guides focused on singular authorization policies; ISE endpoint identity groups for dynamic (device profiling) or static classification of wireless devices.

Identity PSK

To learn about Identity PSK, its benefits, and how to configure the Cisco WLC; please read the AireOS 8.5 Identity PSK Feature Deployment Guide.

Identity PSK requires the wireless client's MAC address to be registered or profiled on the ISE server.  WLAN association enforcement occurs on the WLC by comparing the client provided passphrase to the passphrase returned as an attribute-value response from the ISE server.  Cisco ISE can send additional controls to the WLC in the response, such as VLAN ID, TrustSec SGT, and AireOS ACL name.

Use Cases

Why use per-device passphrases instead of shared passphrases?  For many environments, the grouping of devices into endpoint identity groups and using a group passphrase simplifies operations, but the following use cases may benefit from per-device passphrases:

• Higher-Education
  • Student Dormitory - Video Game Consoles, Digital Personal Assistants
  • Classroom - Audio/Video Equipment, IoT Devices
  • Building Management Systems
• Healthcare
  • Personal Biomedical Devices
  • Long-term Care - Video Game Consoles, Audio/Video Equipment
  • Encrypted Guest Internet Service
• Manufacturing
  • Temporary Field Technician Access

Solution Elements

• WLC - AireOS 8.5 or newer
  • Identity PSK feature introduced in AireOS 8.5.
• RADIUS - Identity Services Engine 2.3 or newer
  • Evaluation of endpoint custom attributes within the RADIUS authorization profile introduced in ISE 2.3.

ISE Configuration Instructions

Endpoint Customization

1. Open the Endpoint Custom Attributes page

   • Click on the Top Menu:  Administration > Identity Management > Settings

   • Click on the Left Menu:  Endpoint Custom Attributes

2. Create a new Custom Attribute

   • This will create a new endpoint variable, used for the passphrase in the ISE database.

   • The example utilizes a custom attribute named: iPSK:

     

   • Be certain to cast the custom attribute as type "string."

3. Register the wireless endpoint using the ISE GUI

   • Click on the Top Menu:  Context Visibility > Endpoints

   • Click on the "Plus Sign"

4. Input the endpoint's MAC address, then click Save.

5. Assign a passphrase to an endpoint.
   • Click on the newly created endpoint.
6. Edit the endpoint
7. Under the Custom Attribute section, add a passphrase to the endpoint.  Prepend the passphrase with "psk=". The example utilizes "stacie12345" as the passphrase, and "psk=stacie12345" as the required response to the WLC:
   

RADIUS Authorization Profile

1. Locate the RADIUS Authorization Profiles
   • Click on the Top Menu:  Policy > Policy Elements > Results
   • Click on the Left Menu:  Authorization > Authorization Profile
2. Create a new RADIUS Authorization Profile
   • Click:  Add
   • Name the policy.  The example uses the name: IdentityPSK
3. Expand the Custom Attributes section.
4. Create the first required response.  This instructs the WLC to look for a ASCII passphrase.
   • In the left-hand dropdown, search for: cisco-av-pair
   • Select: cisco-av-pair--[1]
   • In the right-hand dropdown, enter the following: psk-mode=ascii
5. Create the second required response.  This returns the endpoint passphrase created in previous section.
   • In the left-hand dropdown, search for: cisco-av-pair
   • Select: cisco-av-pair--[1]
   • In the right-hand dropdown, select: EndPoints.  Then select the custom endpoint attribute you created in the previous section.  The example uses "iPSK" as the custom endpoint attribute:
     
6. Save the Authorization Profile.

RADIUS Authorization Policy

1. Open the RADIUS Policy Set
   • Click:  Policy > Policy Set
   • Select the Policy Set used for wireless authentication and authorization.
2. Expand the Authorization Policy
3. Create a new Authorization Policy
   • Click on the "Plus Sign"
   • Provide a meaningful rule name.
   • Configure the match condition.  The example utilizes the SSID name as the match condition:
     
4. Assign the newly created Authorization Profile as the RADIUS Result Profile.
5. Save the Authorization Profile

Device Self-Registration

Access to the endpoint passphrase attribute via the Device Registration Portal on ISE is not supported.

To provide device self-registration, a custom web portal can be created - external to Cisco ISE.  Cisco ISE provides a RESTful API, which can be used by the custom web portal to register a device and its unique passphrase using API calls.

Developing a custom web portal is outside the scope of this document.  For more information regarding the Extensible RESTful Services (ERS) for Cisco ISE, please read about it here.