Re: [WIRELESS-LAN] Cisco Code Version

[Hunter Fuller]

You're right, I had misread that.

Upon reading it that way, though, isn't that fine too? The person's device
reports its MAC, and then ACS or any other RADIUS just responds with that
MAC's owner's assigned PSK. If the device's MAC isn't known, we just
respond with an empty or garbage PSK to prevent them authenticating.

On Fri, Aug 4, 2017 at 4:13 PM Ciesinski, Nick  wrote:

> I think your going to have the same problem with ACS as there is with
> ISE.  The controller does not send the PSK the user used to the RADIUS
> server for verification/validation.  Instead the RADIUS server will send
> back the PSK value the user/device should be using and the WLC does the
> verification/validation based on that return value.
>
> Nick
>
> On Aug 4, 2017, at 4:02 PM, Hunter Fuller  wrote:
>
> Yep - we use Cisco ACS, backed with AD. Should be able to just add another
> rule to our ruleset, then configure iPSK on the controllers. Then it would
> check the PSK against AD, as the machine password for the machine account.
> (We already make machine accounts for registered MACs of game consoles,
> etc.)
>
> On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold 
> wrote:
>
>> On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
>> > While WLC 8.5 did add IPSK it is probably safe to say its rather
>> > worthless for most at this time.  For those who have used ISE if you
>> > watch the video on how they make IPSK work it isn’t feasible to give
>> > each of your users their own PSK key to connect to wireless.  The
>> > current implementation within ISE required no feature additions to ISE
>> > to make it work.  All they do is have a rule to classify a device
>> > and/or user and then send a particular PSK value that it should be
>> > using.  This is a 100% manual process  for each device and/or user as
>> > nothing is baked into ISE to have a user register their account or
>> > device(s) and be presented a PSK to use.
>>
>> IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
>> is not (even in it's current implementation). The limitations you're
>> talking about is purely with ISE, and not IPSK.
>>
>> We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
>> mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
>> be fed via whatever systems that already exists (CMDB or whatnot), or
>> you could spend an hour making a simple web-frontend.
>>
>> The only thing holding us back upgrading to 8.5 "right away" (only to
>> get IPSK) is the same concern Lee has; not touching it until MR3 or
>> similar, purely for stability reasons (-:
>>
>> --
>> Joachim
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/discuss.
>>
> --
>
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

[Ciesinski, Nick]

I think your going to have the same problem with ACS as there is with ISE.  The 
controller does not send the PSK the user used to the RADIUS server for 
verification/validation.  Instead the RADIUS server will send back the PSK 
value the user/device should be using and the WLC does the 
verification/validation based on that return value.

Nick

On Aug 4, 2017, at 4:02 PM, Hunter Fuller 
> wrote:

Yep - we use Cisco ACS, backed with AD. Should be able to just add another rule 
to our ruleset, then configure iPSK on the controllers. Then it would check the 
PSK against AD, as the machine password for the machine account. (We already 
make machine accounts for registered MACs of game consoles, etc.)

On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold 
> wrote:
On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
> While WLC 8.5 did add IPSK it is probably safe to say its rather
> worthless for most at this time.  For those who have used ISE if you
> watch the video on how they make IPSK work it isn’t feasible to give
> each of your users their own PSK key to connect to wireless.  The
> current implementation within ISE required no feature additions to ISE
> to make it work.  All they do is have a rule to classify a device
> and/or user and then send a particular PSK value that it should be
> using.  This is a 100% manual process  for each device and/or user as
> nothing is baked into ISE to have a user register their account or
> device(s) and be presented a PSK to use.

IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
is not (even in it's current implementation). The limitations you're
talking about is purely with ISE, and not IPSK.

We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
be fed via whatever systems that already exists (CMDB or whatnot), or
you could spend an hour making a simple web-frontend.

The only thing holding us back upgrading to 8.5 "right away" (only to
get IPSK) is the same concern Lee has; not touching it until MR3 or
similar, purely for stability reasons (-:

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Cisco Code Version

[Hunter Fuller]

Yep - we use Cisco ACS, backed with AD. Should be able to just add another
rule to our ruleset, then configure iPSK on the controllers. Then it would
check the PSK against AD, as the machine password for the machine account.
(We already make machine accounts for registered MACs of game consoles,
etc.)

On Wed, Aug 2, 2017 at 7:31 PM Joachim Tingvold 
wrote:

> On 1 Aug 2017, at 17:33, Ciesinski, Nick wrote:
> > While WLC 8.5 did add IPSK it is probably safe to say its rather
> > worthless for most at this time.  For those who have used ISE if you
> > watch the video on how they make IPSK work it isn’t feasible to give
> > each of your users their own PSK key to connect to wireless.  The
> > current implementation within ISE required no feature additions to ISE
> > to make it work.  All they do is have a rule to classify a device
> > and/or user and then send a particular PSK value that it should be
> > using.  This is a 100% manual process  for each device and/or user as
> > nothing is baked into ISE to have a user register their account or
> > device(s) and be presented a PSK to use.
>
> IPSK *and* ISE might be "worthless" when combined, but IPSK in it self
> is not (even in it's current implementation). The limitations you're
> talking about is purely with ISE, and not IPSK.
>
> We use ClearPass, and we can easily query an SQL-server with MAC<->PSK
> mappings, yielding unique PSKs based on MAC-adresses. This SQL DB could
> be fed via whatever systems that already exists (CMDB or whatnot), or
> you could spend an hour making a simple web-frontend.
>
> The only thing holding us back upgrading to 8.5 "right away" (only to
> get IPSK) is the same concern Lee has; not touching it until MR3 or
> similar, purely for stability reasons (-:
>
> --
> Joachim
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
-- 

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331 <(256)%20824-5331>

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.