Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Setting up MPSK for headless/IoT devices

  • 1.  Setting up MPSK for headless/IoT devices

    Posted Apr 01, 2019 12:20 AM

    Use Case:
    The following is the use case addressed in this post.
    The users access the Device Registration page using their Active Directory credentials and registers their headless/IoT devices.
    The Multi Pre-Shared Key is sent via email to the user.
    The user then connects his headless/IoT devices using the MPSK provided.

     

    Requirements:

    ArubaOS 8.4.0.0+

    Clearpass 6.8+

     

    How to Configure:

    Create a new Operator Profile:

    Create a new operator profile “Student” with access for managing devices on a network. Also select the user roles against which they can register their devices.

    Clearpass Guest -> Administration -> Operator Logins -> Profilesoperator profile.png

     

    Create service to handle the user’s access to the Device Registration page using the Active Directory credentials:

    Enforcement policy controlling access to Device Registration page will return "admin_privileges = Student"Operator login serivce.jpg

     

    Create service to authenticate devices using an Aruba MPSK:

    To configure MPSK on Clearpass use the service template "Aruba Wireless with MPSK"

    Configuration -> Service Templates & Wizards -> Aruba Wireless with MPSK

    Enter the prefix, Wireless device details, device roles (Tags) and finally map the tags to actual Aruba user-role. Please refer the screenshots below.MPSK Service.jpg

     

    The following are returned as a part of the enforcement profile.

    • Aruba user-role,
    • Device's assigned MPSK that was generated automatically during Device Registration
    • Guest Device repository sponsor name (In this case will be the AD username)

    Enforcement Profile.jpg

     

    Make the Device Registration Page forms, MPSK aware:

    Clearpass Guest -> Administration -> Aruba Integrations -> MPSK Configuration

    In 'Deployment Mode', select the Radio button 'Always generate unique device WiFi passwords' and save configuration.Make Page MPSK aware.jpg

     

    Setup the SMTP Server:

    This will enable the MPSK receipt to be sent to the user, who is registering his device.

    Configure SMTP server at Clearpass -> Administration -> External Servers -> Messaging Setup.

    For more details refer the below post.

    https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Sending-Emails-from-ClearPass-with-Gmail/gpm-p/427050

     

    Controller Configuration:

    Just use the Wizard

    Managed Networks -> Select the hierarchy you want -> Configuration -> WLAN -> +

    In the ‘Security tab’, Select WPA2-Personal -> ‘Use Aruba MPSK’ and associate Clearpass Server to it.Controller Config.jpg

    Create the user roles that are returned to controller under

    Configuration -> Roles and Policies -> Roles -> +

     

    Ensure the following parameters of AAA profile have the right server group associated.

    • MAC Authentication Server Group
    • RADIUS Accounting Server Group
    • RFC 3576 Server

     

    Demo:

    Access the Device Registration Page and login using your AD credentials.

    https://clearpass.arubatechs.com/guest/auth_login.php

    Once you logged in, register your device by clicking on “Create Device”

    Create Device.jpg

    You will receive an email.Email.jpg

    Now connect your media player to the SSID “IOT” using the MPSK provided in the email.

     

    Controller Dashboard:

    The media player is associated under the AD username ‘kerampu’ctlr dashboard.jpg

     

    Clearpass Access Tracker:Clearpass Access Tracker.jpg

    Hope you find this post useful. Please share your feedback.



  • 2.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 03, 2019 10:08 PM

    Thank you so much Kapil for writing this document and explaining the config in steps. Here at the University of Sydney there is a great demand for IOT devices. We wanted a similar solution which takes into account 1 SSiD but unique passwords per device and MPSK is something we can leverage. We have Cisco controllers and AP but we use Aruba CP server so I will conduct a POC on MPSK feature. If it works as intended, this feature will go into production and serve 1000's of IOT devices across USYD main campus and WAN sites. Once again thank you.

     

    Cheers

    Tariq

    Senior Network Engineer at USYD



  • 3.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 09, 2019 11:14 AM

    Thanks for this guide, its great !

    Just wondering where (physically) in the network the MPSK is valid. Can the user authenticate with ANY Access Point or just a specific group of Access Points ?

    I would see this service being useful to large campus network, but surely from a scaling point of view you would limit the MPSK to a spefic number of locations revevent to each user ?

    However, I don't see where in the configuration this might be enabled ?

     

    Also, anyone using this in production as yet ?



  • 4.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 09, 2019 11:16 AM
    You could, but that's an admin configuration and would become difficult to maintain.


  • 5.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 09, 2019 11:20 AM

    Thanks Tim

    So the "standard" configuration is that MPSK is available for the entire campus ? Does that scale out ok......e.g. hundreds or thousands of MPSK across a campus ?



  • 6.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 09, 2019 11:22 AM
    Yes, it's a 1:1 model.


  • 7.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 09, 2019 02:45 PM

    Said another way, the APs do not store/sync the MPSKs.  A query is done and ClearPass responds.  No more overhead than MAC Authentication in general.



  • 8.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 12, 2019 10:54 AM

    Great, thanks that explains why it can scale...!



  • 9.  RE: Setting up MPSK for headless/IoT devices

    Posted May 23, 2019 08:53 PM

    In the Cisco world, you can limit the SSID to a specific location using "ap-groups", not sure how that is done in Aruba. Secondly, you can put a rule in the service where connection requests from a specific controller(s) are accepted.



  • 10.  RE: Setting up MPSK for headless/IoT devices

    Posted May 24, 2019 07:44 PM

    We do it in a similar way Tariq. I will call you to discuss further.



  • 11.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 15, 2019 04:33 PM

    Hi

     

    Why isn't the sponsor email auto populated when the operator account logs in? It appears that you have enabled sponsor email as a text field, but seems to me if you login via AD you should be able to use the mail attribute or the username in email format to auto fill in the sponsor email.

     

    Thanks

    Andrew



  • 12.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 15, 2019 05:14 PM
    You need to send back the mail attribute in your operator service. It can’t always be assumed that the username is the email address.


  • 13.  RE: Setting up MPSK for headless/IoT devices

    Posted Apr 15, 2019 05:45 PM
      |   view attached

    Well, that was easy. Thank You Cappalli



  • 14.  RE: Setting up MPSK for headless/IoT devices

    Posted May 07, 2019 01:58 PM
    Take a look at this link. https://community.arubanetworks.com/t5/Security/ClearPass-MPSK-Form-Options/m-p/526335#M42588

    I recommend importing , even if its just 1 device , you have more options. See the import template we put together


  • 15.  RE: Setting up MPSK for headless/IoT devices

    Posted Sep 27, 2019 09:46 AM

    Hi,

     

    My SMTP server working fine but have some issues with autofill the email field in the mac_create form.

     

    I send the attribute "mail" in my enforcement profile. I can see my emailadres send correctly in the request output as attribute "Application:mail".

     

    In the guest application there is a translation rule to bind the attribute value "mail" on the operator field "email".

     

    In the Form field the email attribute is not autofilled.

     

    I make some mistake or misunderstanding somewhere, but after some hours i give up, grrr. Some help should be welcome :). See attachments Screen Shot 2019-09-27 at 15.35.23.pngScreen Shot 2019-09-27 at 15.36.36.pngScreen Shot 2019-09-27 at 15.36.00.png

     

     



  • 16.  RE: Setting up MPSK for headless/IoT devices

    Posted Aug 11, 2020 03:44 PM

    I found an issue in 8.6.0.4

     

    When you create a new SSID using the wizard and choose MPSK and select your clearpass server, it creates a new AAA profile for the MPSK SSID, however the Mac auth server for that AAA profile is default, not ClearPass. Therefor no authentications came to ClearPass.

     

    Going into the AAA profile settings you can set the correct MAC Auth server group and this makes it all work

     

    Thanks to OP for the guide!



  • 17.  RE: Setting up MPSK for headless/IoT devices

    Posted Jul 11, 2019 12:47 PM

    Setting this up in the Lab today with all of my Home IoT devices :-)



  • 18.  RE: Setting up MPSK for headless/IoT devices

    Posted Jul 11, 2019 01:03 PM

    How can I mass import? lol Got it



  • 19.  RE: Setting up MPSK for headless/IoT devices

    Posted Jul 11, 2019 01:57 PM

    Cool you got it , if you have any question I can try to help.

     

    Not sure if its a smart thing to do , but I am using this instead of 802.11x . For Macs 802.11x auth sucks, (BT and WiFi are on the same chip and it has caused many problems) I didnt want my users to suffer. MPSK is much easier for me, Everyone has their own password, and they can't share it , well they could it just wouldnt work on other device. One thing to be aware of, if a user is using iCloud Keychain, WiFi passwords are shared throughout all their devices. To solve this just usethe same MPSK Password , for all devices for that particular user. I for instance I used same MPSK password when registering, my apple watch,homepod,macbook,imac,appletv,ipad,iphone etc .... so just becareful.



  • 20.  RE: Setting up MPSK for headless/IoT devices

    Posted Jul 11, 2019 02:23 PM
    Please be aware that this was only designed for headless devices. Alternative workflows may not be officially supported.