IPSK with RADIUS Authentication
Overview
When setting up an enterprise wireless network, it is common to configure WPA2-Enterprise authentication with a centralized authentication server to provide heightened security for clients connecting to the network, while still allowing for easy and scalable management of authorized users. However, IT administrators may still encounter some drawbacks with this method of authentication. While a username and password provides extra security, users may find remembering an extra set of credentials to be cumbersome when trying to get connected, and may be better served by using a private PSK. Additionally, certain devices may not support WPA2-Enterprise authentication, and would require an additional PSK SSID to be set up to connect to the same network, increasing wireless overhead and compromising on security. Identity PSK with RADIUS authentication resolves these issues by acting as a standard WPA2 PSK SSID to clients, while authenticating clients to a central server based on their MAC address and allowing different PSKs to be set for specific clients or groups of clients.
This article will provide a walk-through of how to set up Identity PSK in Dashboard, as well as on FreeRADIUS, Cisco ISE, and Microsoft NPS.
This feature is supported only on firmware MR 26.5 and above. If using Microsoft NPS, MR 30.1 or higher is required.
This feature will not work with SSIDs that are configured to tunnel traffic to a MX Concentrator.
Enabling and configuring IPSK with RADIUS authentication
If the MAC address and PSK used by the associating client is configured on the RADIUS server, then only that client will be able to associate to the SSID. Configuration on Dashboard is as follows:
-
From Dashboard navigate to Wireless > Configure > Access control
-
Under SSID, select the SSID from the drop-down that you want to configure.
-
Select Identity PSK with RADIUS from the Security section of the page.
-
Under Splash page, choose None (Direct access).
-
For RADIUS servers, click Add server. Enter the RADIUS server Host IP or FQDN, listening Auth port, and RADIUS shared secret to be used by your access points which are configured RADIUS clients on the server.
-
A Per device PSK SSID can bridge wireless devices onto different VLANs if a Bridge mode SSID is used. A default SSID VLAN can be set by enabling VLAN tagging under the Client IP and VLAN section. By setting the RADIUS override to Override VLAN tag, the RADIUS response can be used to override the default VLAN tag. RADIUS accept messages containing a different VLAN tag will be able to override the default VLAN for the SSID. For more information on configuring VLAN override via RADIUS, check out our VLAN Tagging article.
- Click Save.
Use of special characters in the Shared secret is not allowed with some RADIUS servers. This may cause the authentication to fail.
The RADIUS server used for authentication can vary depending on the network. The Tunnel-Password attribute is the field that is used on the RADIUS server to bind the MAC address and PSK. If the PSK matches the RADIUS server's entry for the client's MAC address, the wireless client is authenticated and associated on the wireless network. See below for configuration with FreeRadius and Cisco ISE.
Configuration of IPSK with RADIUS authentication
FreeRADIUS Configuration:
The example setup below is using FreeRADIUS version 3.0.21. Exact steps may vary depending on the version of FreeRADIUS you are using. Please consult the FreeRADIUS documentation.
-
Navigate to: /etc/freeradius/3.0/
-
In the clients.conf file, configure the AP IP address or subnet and secret. This will be the same secret you entered in Dashboard under RADIUS Servers.
-
To add a MAC address and pre-shared key for a client, navigate to the users file and enter the MAC address and password in the below format. Do not use colons in the MAC address username or PSK. Ensure that you tab the Tunnel-Password to nest it under the username, otherwise FreeRADIUS may fail to start with errors.
<MAC address> Cleartext-password := <MAC address>
Tunnel-password = <PSK entered on the client device>
-
To configure a default pre-shared key to be used by clients not explicitly listed in the users file:
DEFAULT Auth-Type := Accept
Tunnel-Password = <PSK of your choice>
-
Once this configuration is saved you should be able to authenticate your client devices based on the PSK.
Cisco ISE Configuration:
The diagram below shows the general flow of traffic when using IPSK to authenticate against a Cisco ISE server.
The following sections focuses on Cisco ISE 2.4. Configuration may vary based on the version of Cisco ISE.
Adding Network Devices and Assigning to a Group
-
Navigate to Administration > Network Devices.
-
Click Add to add a new network device.
-
Fill out the following fields:
Configure the IP Address field with the management IP subnet for your access points. Make sure to configure a Location so that the authentication can be matched to the correct policy set.
Create a policy set and default rule configuration
-
Navigate to Policy > Policy Sets
-
Create a new policy set with the condition Device > Location and select the location you applied to the MR Device type. Then create another condition and use Radius: Called-Station-ID ENDS_WITH {Your SSID Name}.
Note: PAP is disabled by defualt under the Default Network Access policy. PAP should be enabled by going to Policy Results > Allowed Protocols > Default Network Access and checking the box to Allow PAP ASCII. -
Navigate into that policy set by clicking the arrow to the right. Expand the Authentication section of the policy and modify the default rule to the following:
Make sure to select Internal Endpoints and If User not found: Continue. This will allow devices that are not already in ISE the ability to be processed through the authorization rules. -
Next expand the Authorization rules and select the default rule. In the default rule:
-
Deselect Deny access.
-
Click the + icon and create a new profile. This will be the default PSK.
For the PSK response, Meraki uses the Tunnel-Password attribute and value for the PSK transmission as it is encrypted in transit between the RADIUS server and the Network Access Device. -
Select the default PSK authorization profile we created for the default rule and click save.
-
Creating Endpoint Identity Groups for PSK Management
-
Navigate to Work Centers > Guest Access > Identity Groups
-
Click Add to add a new group.
-
Name this group 'PSK_Devices'
- Create another group called 'PSK1' and nest it under 'PSK_Devices'
Creating Authorization Profiles for Each PSK with Group Policy Assignment
-
Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles
-
Click add and create at least 1 PSK Authorization Profile. In this example, PSK1 is used and 'PSK1' is returned as the dashboard group policy to apply to the client via Filter-ID.
Creating Authorization Rules for PSK Assignment
-
Navigate to Policy > Policy Sets > {Policy set created earlier}
-
Expand the Authorization Rules.
-
Add a new rule above the default rule with Insert new row above.
-
Name this rule 'PSK1' and use the following condition configuration:
-
Next select the PSK1 Authorization Profile created for this rule and click Save.
Add Devices to the PSK1 Group
For this guide a single MAC address will be added; however, using the “Import” function, large groups of devices can be added at a time.
-
Navigate to Context Visibility > Endpoints
-
Click the + symbol above the devices list and enter the MAC address of your test client
Microsoft NPS Configuration
Note: MR 30.1 firmware and higher is required for IPSK with NPS.
IPSK with RADIUS using a Microsoft NPS server is supported when the following criteria are met:
- The Tunnel-Password RADIUS standard attribute is present in the Access-Accept packet from the NPS server.
- Cisco Vendor-Specific Attributes psk and psk-mode=ascii are present in the Access-Accept from the NPS server.
First, ensure your client MAC addresses are added to a User Group on your AD server. To configure the policy on the NPS server,
1. Open an existing policy or create a new one. The Overview tab of the properties of the policy should look like the following:
2. On the Conditions tab, choose the User Groups value for the devices you want to authenticate using IPSK on your AD server
3. On the Constraints tab, uncheck all authentication methods except for PAP
4. On the Settings tab, add a Standard RADIUS attribute of Tunnel-Password. It does not matter what the actual value is here, because the clients will not be using it. However, it MUST be included. Otherwise, the MR will reject the response from the NPS server
5. On the Vendor Specific section, add a Cisco AVP and configure both a psk and the psk-mode=ascii
The psk value is the PSK that should be entered on the supplicant. The Access-Accept packet for a client with the above configuration looks like the following. Notice the Cisco Vendor-Specific AVPs of psk-mode and psk as well as the standard Tunnel-Password AVP. The Cisco psk AVP has the PSK in cleartext.
Applying Dashboard Group Policies
-
Navigate to Network-wide > Configure > Group Policies
-
Create a new Group Policy called 'PSK1'
Feel free to configure anything needed here including but not limited to:-
Firewall Policies
-
Traffic Shaping
-
Umbrella Group Policies
-
-
When you are finished, click Save changes.
Validating PSK and Group Policy
-
Connect to the test SSID using your test client.
-
Check the logs in Cisco ISE under Operation > RADIUS > Live Logs
-
Check Dashboard under Network-wide > Monitor > Clients and select the test client: