I've been experimenting with the MPSK feature.
I was under the impression that we would be able to have a group PSK configured. e.g. all cameras use the same PSK, all printers use the same PSK, etc.
I have been unable to find any place to make this configuration, can anyone advise how to do this?
Searching the 6.8 documentation only shows how to modify the parameters for MPSK auto generation.
I also cannot find how to manually create the PSK value for a single device, it seems that it can only be auto-generated? Trying to modify the 'mpsk' field in any form to be free text results in an error like 'this field can only be static text'
aaah ok, i have it set up in Policy Manager now, was trying to do it all in Guest before.
Can you please expand on the limitations you mentioned and why 1:1 is recommended?
So far it looks like I'll be able to do the followng with no issues (not yet tested)
1. Create new device role_id 'Camera' and 'Printer' in [Guest Roles], make them available in Device Registration form
2. Set up a MPSK service that returns the Aruba-MPSK-Passphrase attribute for the appropriate role_id
3. Return the matching Aruba-User-Role alongside the Aruba-MPSK-Passphrase
To clarify, MPSK one-to-many is not possible? (one passphrase to multiple devices) (versus 1:1)
It's eluded to via the link below and other places, but I can't find more information on how to set it up.
"Passphrases can be administratively assigned to groups of devices based on common attributes like profiling data or uniquely assigned to each device registration with ClearPass Policy Manager."
One way around this is to use the import feature. Add all the MAC addresses and use same password for everyone. Importing those from .csv allows you to define the MPSK and not use automatically generated password.
But like said, it makes the security worse. Usually you'd rather want to limit concurrent users to 1 and do alerts if profiles notices it's a different device now with same MAC address.
If you're really sure you want to do this, then grab a sample CSV from ClearPass and add 'mpsk' and 'mpsk_enable' fields to that (not sure if mpsk_enable was already there). Set mpsk_enable to 1 for obvious reasons and then mpsk field is your PSK.
Thanks for the reply. I agree, it's not great for security. More of an educational excercise right now.
Thanks very much!
1:many is an administratively controlled rule. For example, you could say that all devices profiled as X can use the same PSK.
This is not recommended, however, as the device needs network access to be profiled. It's a bit of a race condition.
Only 1:1 with device registration is recommended.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.