Home > Wireless LAN > Encryption and Authentication > IPSK with RADIUS Authentication

IPSK with RADIUS Authentication

Overview

When setting up an enterprise wireless network, it is common to configure WPA2-Enterprise authentication with a centralized authentication server to provide heightened security for clients connecting to the network, while still allowing for easy and scalable management of authorized users. However, IT administrators may still encounter some drawbacks with this method of authentication. While a username and password provides extra security, users may find remembering an extra set of credentials to be cumbersome when trying to get connected, and may be better served by using a private PSK. Additionally, certain devices may not support WPA2-Enterprise authentication, and would require an additional PSK SSID to be set up to connect to the same network, increasing wireless overhead and compromising on security. Identity PSK, with RADIUS authentication resolves these issues by acting as a standard WPA2 PSK SSID to clients, while authenticating clients to a central server based on their MAC address and allowing different PSKs to be set for specific clients or groups of clients.

This article will provide a walk-through of how to set up Identity PSK in Dashboard, as well as on FreeRADIUS and on Cisco ISE.

This feature is supported only on firmware 26.5 and above.

Enabling and configuring IPSK with RADIUS authentication

If the MAC address and PSK used by the associating client is configured on the RADIUS server, then only that client will be able to associate to the SSID. Configuration on Dashboard is as follows:

  1. From Dashboard navigate to Wireless > Configure > Access control

  2. Under SSID, select the SSID from the drop-down that you want to configure.

  3. Select IPSK with RADIUS from the Association Requirements section of the page.
    Screen Shot 2019-08-26 at 1.50.07 PM.png

  4. Under Splash page, choose None. 

  5. For RADIUS server, click Add a server. Enter RADIUS server IP address, listening port and RADIUS shared secret to be used by your APs which are configured RADIUS clients on the server.
    image3.png

  6. A Per device PSK SSID can bridge wireless devices onto different VLANs if a Bridge mode SSID is used. A default SSID VLAN can be set using the VLAN tagging drop down. Then by setting the RADIUS response it can override the VLAN tag from VLAN override drop down. RADIUS accept messages containing a different VLAN tag will be able to override the default VLAN for the SSID. For more information on configuring VLAN override via RADIUS, check out our RADIUS Override article.

  7. Click Save changes.

    Use of special characters in the Shared secret is not allowed with some RADIUS servers. This may cause the authentication to fail.

 

The RADIUS server used for authentication can vary depending on the network. The Tunnel-Password attribute is the field that is used on the RADIUS server to bind the MAC address and PSK. If the PSK matches the RADIUS server's entry for the client's MAC address, the wireless client is authenticated and associated on the wireless network. See below for configuration with FreeRadius and Cisco ISE.

Configuration of IPSK with RADIUS authentication

FreeRADIUS Configuration:

  1. Navigate to : /usr/local/etc/raddb
    image13.png

  2. In the clients.conf file, configure the APs IP address and secret. This will be the same secret you entered in Dashboard under RADIUS Servers. 
    image21.png

  3. To add a MAC address and preshared key for a client, navigate to the users file and enter the MAC address and password in the below format:
    <MAC address> Cleartext-password := <MAC address>
    Tunnel-password = <PSK entered on the client device>
    image4.png

  4. To configure a default preshared key to be used by clients not listed in the users file:
    DEFAULT Auth-Type := Accept
    Tunnel-Password = <PSK of your choice>
    image1.png

  5. Once this configuration is saved you should be able to authenticate your client devices based on the PSK.

Cisco ISE Configuration: 

The diagram below shows the general flow of traffic when using IPSK to authenticate against a Cisco ISE server.

image10.png

The following sections focuses on Cisco ISE 2.4. Configuration may vary based on the version of Cisco ISE.

Adding Network Devices and Assigning to a Group

  1. Navigate to Administration > Network Devices.
    image15.png

  2. Click Add to add a new network device.
    image8.png

  3. Fill out the following fields:
    image20.png
    Configure the IP Address field with the management IP subnet for your access points. Make sure to configure a Location so that the authentication can be matched to the correct policy set. 

Create a policy set and default rule configuration 

  1. Navigate to Policy > Policy Sets
    image22.png

  2. Create a new policy set with the condition Device > Location and select the location you applied to the MR Device type. Then create another condition and use Radius: Called-Station-ID ENDS_WITH {Your SSID Name}.
    image6.png

  3. Navigate into that policy set by clicking the arrow to the right. Expand the Authentication section of the policy and modify the default rule to the following:
    image17.png
    Make sure to select Internal Endpoints and If User not found: Continue. This will allow devices that are not already in ISE the ability to be processed through the authorization rules.

  4. Next expand the Authorization rules and select the default rule. In the default rule:

    1. Deselect Deny access.

    2. Click the + icon and create a new profile. This will be the default PSK.
      image12.png
      For the PSK response, Meraki uses the Tunnel-Password attribute and value for the PSK transmission as it is encrypted in transit between the RADIUS server and the Network Access Device. 

    3. Select the default PSK authorization profile we created for the default rule and click save.
      image7.png

Creating Endpoint Identity Groups for PSK Management

  1. Navigate to Work Centers > Guest Access > Identity Groups

  2. Click Add to add a new group.

  3. Name this group 'PSK_Devices'

    image11.png
  4. Create another group called 'PSK1' and nest it under 'PSK_Devices'
    image16.png 

Creating Authorization Profiles for Each PSK with Group Policy Assignment

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles

  2. Click add and create at least 1 PSK Authorization Profile. In this example, PSK1 is used and 'PSK1' is returned as the dashboard group policy to apply to the client via Filter-ID.

Creating Authorization Rules for PSK Assignment

  1. Navigate to Policy > Policy Sets > {Policy set created earlier}

  2. Expand the Authorization Rules.

  3. Add a new rule above the default rule with Insert new row above.
    image9.png

  4. Name this rule 'PSK1' and use the following condition configuration:
    image14.png

  5. Next select the PSK1 Authorization Profile created for this rule and click Save.

Add Devices to the PSK1 Group

For this guide a single MAC address will be added; however, using the “Import” function, large groups of devices can be added at a time.

  1. Navigate to Context Visibility > Endpoints
    image5.png

  2. Click the + symbol above the devices list and enter the MAC address of your test client
    image23.png

Applying Dashboard Group Policies

  1. Navigate to Network Wide > Group Policy

  2. Create a new Group Policy called 'PSK1'
    Feel free to configure anything needed here including but not limited to:

    • Firewall Policies

    • Traffic Shaping

    • Umbrella Group Policies

  3. When you are finished, click Save changes.

Validating PSK and Group Policy

  1. Connect to the test SSID using your test client.

  2. Check the logs in Cisco ISE under Operation > RADIUS > Live Logs
    image2.png

  3. Check Dashboard under Network Wide > Clients and select the test client:
    image18.png

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 8646

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community