Use Case:The following is the use case addressed in this post.The users access the Device Registration page using their Active Directory credentials and registers their headless/IoT devices.The Multi Pre-Shared Key is sent via email to the user.The user then connects his headless/IoT devices using the MPSK provided.
How to Configure:
Create a new Operator Profile:
Create a new operator profile “Student” with access for managing devices on a network. Also select the user roles against which they can register their devices.
Clearpass Guest -> Administration -> Operator Logins -> Profiles
Create service to handle the user’s access to the Device Registration page using the Active Directory credentials:
Enforcement policy controlling access to Device Registration page will return "admin_privileges = Student"
Create service to authenticate devices using an Aruba MPSK:
To configure MPSK on Clearpass use the service template "Aruba Wireless with MPSK"
Configuration -> Service Templates & Wizards -> Aruba Wireless with MPSK
Enter the prefix, Wireless device details, device roles (Tags) and finally map the tags to actual Aruba user-role. Please refer the screenshots below.
The following are returned as a part of the enforcement profile.
Make the Device Registration Page forms, MPSK aware:
Clearpass Guest -> Administration -> Aruba Integrations -> MPSK Configuration
In 'Deployment Mode', select the Radio button 'Always generate unique device WiFi passwords' and save configuration.
Setup the SMTP Server:
This will enable the MPSK receipt to be sent to the user, who is registering his device.
Configure SMTP server at Clearpass -> Administration -> External Servers -> Messaging Setup.
For more details refer the below post.
Just use the Wizard
Managed Networks -> Select the hierarchy you want -> Configuration -> WLAN -> +
In the ‘Security tab’, Select WPA2-Personal -> ‘Use Aruba MPSK’ and associate Clearpass Server to it.
Create the user roles that are returned to controller under
Configuration -> Roles and Policies -> Roles -> +
Ensure the following parameters of AAA profile have the right server group associated.
Access the Device Registration Page and login using your AD credentials.
Once you logged in, register your device by clicking on “Create Device”
You will receive an email.
Now connect your media player to the SSID “IOT” using the MPSK provided in the email.
The media player is associated under the AD username ‘kerampu’
Clearpass Access Tracker:
Hope you find this post useful. Please share your feedback.
Thank you so much Kapil for writing this document and explaining the config in steps. Here at the University of Sydney there is a great demand for IOT devices. We wanted a similar solution which takes into account 1 SSiD but unique passwords per device and MPSK is something we can leverage. We have Cisco controllers and AP but we use Aruba CP server so I will conduct a POC on MPSK feature. If it works as intended, this feature will go into production and serve 1000's of IOT devices across USYD main campus and WAN sites. Once again thank you.
Senior Network Engineer at USYD
Thanks for this guide, its great !
Just wondering where (physically) in the network the MPSK is valid. Can the user authenticate with ANY Access Point or just a specific group of Access Points ?
I would see this service being useful to large campus network, but surely from a scaling point of view you would limit the MPSK to a spefic number of locations revevent to each user ?
However, I don't see where in the configuration this might be enabled ?
Also, anyone using this in production as yet ?
So the "standard" configuration is that MPSK is available for the entire campus ? Does that scale out ok......e.g. hundreds or thousands of MPSK across a campus ?
Said another way, the APs do not store/sync the MPSKs. A query is done and ClearPass responds. No more overhead than MAC Authentication in general.
Great, thanks that explains why it can scale...!
In the Cisco world, you can limit the SSID to a specific location using "ap-groups", not sure how that is done in Aruba. Secondly, you can put a rule in the service where connection requests from a specific controller(s) are accepted.
We do it in a similar way Tariq. I will call you to discuss further.
Why isn't the sponsor email auto populated when the operator account logs in? It appears that you have enabled sponsor email as a text field, but seems to me if you login via AD you should be able to use the mail attribute or the username in email format to auto fill in the sponsor email.
Well, that was easy. Thank You Cappalli
My SMTP server working fine but have some issues with autofill the email field in the mac_create form.
I send the attribute "mail" in my enforcement profile. I can see my emailadres send correctly in the request output as attribute "Application:mail".
In the guest application there is a translation rule to bind the attribute value "mail" on the operator field "email".
In the Form field the email attribute is not autofilled.
I make some mistake or misunderstanding somewhere, but after some hours i give up, grrr. Some help should be welcome :). See attachments
I found an issue in 18.104.22.168
When you create a new SSID using the wizard and choose MPSK and select your clearpass server, it creates a new AAA profile for the MPSK SSID, however the Mac auth server for that AAA profile is default, not ClearPass. Therefor no authentications came to ClearPass.
Going into the AAA profile settings you can set the correct MAC Auth server group and this makes it all work
Thanks to OP for the guide!
Setting this up in the Lab today with all of my Home IoT devices :-)
How can I mass import? lol Got it
Cool you got it , if you have any question I can try to help.
Not sure if its a smart thing to do , but I am using this instead of 802.11x . For Macs 802.11x auth sucks, (BT and WiFi are on the same chip and it has caused many problems) I didnt want my users to suffer. MPSK is much easier for me, Everyone has their own password, and they can't share it , well they could it just wouldnt work on other device. One thing to be aware of, if a user is using iCloud Keychain, WiFi passwords are shared throughout all their devices. To solve this just usethe same MPSK Password , for all devices for that particular user. I for instance I used same MPSK password when registering, my apple watch,homepod,macbook,imac,appletv,ipad,iphone etc .... so just becareful.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.