Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass MPSK: group PSK ?

  • 1.  Clearpass MPSK: group PSK ?

    Posted Mar 25, 2019 12:57 AM

    I've been experimenting with the MPSK feature.

    I was under the impression that we would be able to have a group PSK configured. e.g. all cameras use the same PSK, all printers use the same PSK, etc.

     

    I have been unable to find any place to make this configuration, can anyone advise how to do this?

     

    Searching the 6.8 documentation only shows how to modify the parameters for MPSK auto generation.

     

    I also cannot find how to manually create the PSK value for a single device, it seems that it can only be auto-generated? Trying to modify the 'mpsk' field in any form to be free text results in an error like 'this field can only be static text'



  • 2.  RE: Clearpass MPSK: group PSK ?

    Posted Mar 25, 2019 01:27 AM
    You can return an MPSK directly in policy for a group of devices but it's not recommended as there is very little data that can be used in this dashion.

    1:1 is always recommended.


  • 3.  RE: Clearpass MPSK: group PSK ?

    Posted Mar 25, 2019 03:15 AM

    aaah ok, i have it set up in Policy Manager now, was trying to do it all in Guest before.

     

    Can you please expand on the limitations you mentioned and why 1:1 is recommended?

     

    So far it looks like I'll be able to do the followng with no issues (not yet tested)

    1. Create new device role_id 'Camera' and 'Printer' in [Guest Roles], make them available in Device Registration form
    2. Set up a MPSK service that returns the Aruba-MPSK-Passphrase attribute for the appropriate role_id
    3. Return the matching Aruba-User-Role alongside the Aruba-MPSK-Passphrase 

     



  • 4.  RE: Clearpass MPSK: group PSK ?

    Posted Mar 25, 2019 06:49 AM
    Because only the MAC address can be used to match the request which brings you back to 1:1.

    I would recommend using the new service template. It helps you set everything up correctly.


  • 5.  RE: Clearpass MPSK: group PSK ?

    Posted Jan 14, 2020 09:23 AM

    To clarify, MPSK one-to-many is not possible? (one passphrase to multiple devices) (versus 1:1)

    It's eluded to via the link below and other places, but I can't find more information on how to set it up.

    https://blogs.arubanetworks.com/solutions/simplify-iot-authentication-with-multiple-pre-shared-keys/

     

    "Passphrases can be administratively assigned to groups of devices based on common attributes like profiling data or uniquely assigned to each device registration with ClearPass Policy Manager."

     

    Thanks

     



  • 6.  RE: Clearpass MPSK: group PSK ?

    Posted Jan 14, 2020 12:11 PM

    One way around this is to use the import feature. Add all the MAC addresses and use same password for everyone. Importing those from .csv allows you to define the MPSK and not use automatically generated password.

     

    But like said, it makes the security worse. Usually you'd rather want to limit concurrent users to 1 and do alerts if profiles notices it's a different device now with same MAC address.

     

    If you're really sure you want to do this, then grab a sample CSV from ClearPass and add 'mpsk' and 'mpsk_enable' fields to that (not sure if mpsk_enable was already there). Set mpsk_enable to 1 for obvious reasons and then mpsk field is your PSK. 



  • 7.  RE: Clearpass MPSK: group PSK ?

    Posted Jan 14, 2020 01:26 PM

    Hi pubjohndoe,

    Thanks for the reply. I agree, it's not great for security. More of an educational excercise right now.

    Thanks very much!

    Steve



  • 8.  RE: Clearpass MPSK: group PSK ?

    Posted Jan 14, 2020 06:03 PM

    1:many is an administratively controlled rule. For example, you could say that all devices profiled as X can use the same PSK. 

     

    This is not recommended, however, as the device needs network access to be profiled. It's a bit of a race condition.

     

    Only 1:1 with device registration is recommended.