Solved: Re: Identity Preshared Key vs. 802.1x - WLAN Security Pro and Con

ciscoprolin · ‎03-15-2019

Dear All,

we're looking for a simple solution to connect IOT devices to our wlan in a safe way. Since WLC release 8.5 Cisco has the Identity PSK feature (Private Preshared Key) and we're wondering if 802.1x still makes sense in the day of Identity PSK which even offers 802.1x feature like dynamic VLAN or ACL assignment etc...

Regarding Security or other features what is your opinion when 802.1x gets compared to Identity PSK ?

Thanks,

Thorsten

Haydn Andrews · ‎03-18-2019

I think this has now crossed over with this post about iPSK with FreeRadius

https://community.cisco.com/t5/wireless-security-and-network/identity-psk-8540-wlc-rel-8-5-140-0-with-freeradius-server/m-p/3821137#M56858

As i posted there, there is this blog around iPSK with freeRADIUS:

http://indcontrolproto.blogspot.com/2019/02/cisco-identity-psk-and-freeradius.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

View solution in original post

patoberli · ‎03-18-2019

Only did it with Windows NPS Radius server, was fairly easy. Not using it right now, so far all our "IoT" devices are running in the guest network.
In any case, I would only focus on IPSK, because most "dumb" devices don't support certificate or username/password based authentication, only unencrypted or PSK.

View solution in original post

balaji.bandi · ‎03-15-2019

its been long working stable 802.1x based on experience, i have not deployed 8.5 (which in the list to test and deploy in real environment)

8.5 got more features what you looking. as per the documentation, Identity PSK be best way to move forward. ( but bare in mind required compatability WAP and WLC to support 8.5)

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Haydn Andrews · ‎03-15-2019

If it were up to me I would be utilizing 802.1x for all my authentications. EAP-TLS if it was possible due to getting the most secure authentication.

In regards to PSK, well it is just a combination of characters so keep in mind that it is possible to guess the PSK.

Identify PSK really came about for devices that could not support 802.1x but needed to join different networks and allow you to reduce the number of SSIDs.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

ciscoprolin · ‎03-18-2019

Hi thanks for your replies. Yes the reason we're considering it is to reduce the number of SSIDs required for IOT devices.

Did anyone of you manage to get it to run with FreeRADIUS as radius server ? How did you do it ?

Thanks

Haydn Andrews · ‎03-18-2019

I think this has now crossed over with this post about iPSK with FreeRadius

https://community.cisco.com/t5/wireless-security-and-network/identity-psk-8540-wlc-rel-8-5-140-0-with-freeradius-server/m-p/3821137#M56858

As i posted there, there is this blog around iPSK with freeRADIUS:

http://indcontrolproto.blogspot.com/2019/02/cisco-identity-psk-and-freeradius.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

patoberli · ‎03-18-2019

Only did it with Windows NPS Radius server, was fairly easy. Not using it right now, so far all our "IoT" devices are running in the guest network.
In any case, I would only focus on IPSK, because most "dumb" devices don't support certificate or username/password based authentication, only unencrypted or PSK.

ciscoprolin · ‎03-18-2019

Thanks for the excellent link. Following it has helped. I share the same view - I think we'll focus on I-PSK instead of 802.1x for our IOT devices - also for the sake of saving 1 SSID-),