Re: Dynamic PSK Assignment/Auto Config Tool

Terence Lockette · ‎05-10-2019

Hello Community,

I've been searching the Internet for products or tools that will dynamically assign a wireless PSK to clients without human or manual intervention. I would also like to be able to use this with our existing Cisco wireless infrastructure with the ability to use ISE for identity authentication/authorization. Is there such a product that is supported by Cisco? The only vendor I can find that has this type of ability is Ruckus. MS InTune also has the ability to to push custom wifi profiles but I believe the InTune agent has to be installed so medical devices that don't have much of an interface won't be able to take advantage. I know with WLC 8.5, I can do iPSK but we would still have to configure each device with the PSK manually.

What I'm looking for is something that will generate and push the wifi PSK to a client without having the administrative burden of configuring every single device with the key and then having to reconfigure when the key is rotated.

Thanks,

Terence Lockette

Leo Laohoo · ‎05-10-2019

Like iPSK?

Terence Lockette · ‎05-10-2019

Something like that or that can assign a wifi profile or key to a device without having to manually enter it on the client device. From my understanding, iPSK would still require someone to enter the unique key on the device that will be accepted by the RADIUS server, correct? If so, iPSK would get us 95% there but the other 5% would be to configure the client device automatically upon associating to the SSID without manually entering the key. I understand that we'll still need to manually connect the client to the WLAN but after that, the network would take care of the rest.

Hope that makes sense regarding what I'm looking to do.

Philip D'Ath · ‎05-10-2019

I really really hope your medical equipment does not allow any remote WiFi network that it has never connected to before to remotely configure its WiFi security settings (PSK in this case). If it does, please for the safety of your patients, turn off and remove that equipment from your network immediately.

Terence Lockette · ‎05-10-2019

No we do not. All wifi settings have to be manually configured. However, I was hoping to find something similar to what MS InTune does where a wifi profile can be pushed whenever we need to rotate the key without manual intervention but still keep the session alive. Not sure if this is possible but in our high-tech society, I would think that someone would've thought of how to do this by now.

patoberli · ‎05-13-2019

You could probably use the REST APIs on the ISE plus powershell / group policies to push the new wireless configuration to your equipment. That requires your equipment to be domain joined though.
Alternatively you can probably add/modify a wireless profile on a Windows based computer through "netsh".

Arne Bier · ‎05-14-2019

iPSK behaviour is identical to PSK, except that the WLC does a quick check with the Radius Server (can be ISE or anything else) whether there is a custom PSK or not. If the MAC address is not found on the Radius Server, then the Radius Server can do one of two things

- send a Reject to WLC and client won't connect. This is strict mode - in other words, if your MAC address is not on the Radius Server then I don't care what PSK your client has, I will refuse to accept you.

- send an Accept to the WLC and then the client PSK and WLAN PSK have to match. I call this the "compatibility mode" - it's great in deployments where you want to be non-disruptive with the existing clients whose MAC address you may never want to have controlled by the Radius Server. It gives you control over which clients you want to control using iPSK (create groups of devices that have their own PSK)

Failing that - if you want plug and play then perhaps MAB or 802.1X is the other option. But that comes with its own headaches.

There is no free lunch ...