Security

I've been experimenting with the MPSK feature.

I was under the impression that we would be able to have a group PSK configured. e.g. all cameras use the same PSK, all printers use the same PSK, etc.

 

I have been unable to find any place to make this configuration, can anyone advise how to do this?

 

Searching the 6.8 documentation only shows how to modify the parameters for MPSK auto generation.

 

I also cannot find how to manually create the PSK value for a single device, it seems that it can only be auto-generated? Trying to modify the 'mpsk' field in any form to be free text results in an error like 'this field can only be static text'

You can return an MPSK directly in policy for a group of devices but it's not recommended as there is very little data that can be used in this dashion.

1:1 is always recommended.

aaah ok, i have it set up in Policy Manager now, was trying to do it all in Guest before.

 

Can you please expand on the limitations you mentioned and why 1:1 is recommended?

 

So far it looks like I'll be able to do the followng with no issues (not yet tested)

1. Create new device role_id 'Camera' and 'Printer' in [Guest Roles], make them available in Device Registration form
2. Set up a MPSK service that returns the Aruba-MPSK-Passphrase attribute for the appropriate role_id
3. Return the matching Aruba-User-Role alongside the Aruba-MPSK-Passphrase 

 

Because only the MAC address can be used to match the request which brings you back to 1:1.

I would recommend using the new service template. It helps you set everything up correctly.

To clarify, MPSK one-to-many is not possible? (one passphrase to multiple devices) (versus 1:1)

It's eluded to via the link below and other places, but I can't find more information on how to set it up.

https://blogs.arubanetworks.com/solutions/simplify-iot-authentication-with-multiple-pre-shared-keys/

 

"Passphrases can be administratively assigned to groups of devices based on common attributes like profiling data or uniquely assigned to each device registration with ClearPass Policy Manager."

 

Thanks

 

One way around this is to use the import feature. Add all the MAC addresses and use same password for everyone. Importing those from .csv allows you to define the MPSK and not use automatically generated password.

 

But like said, it makes the security worse. Usually you'd rather want to limit concurrent users to 1 and do alerts if profiles notices it's a different device now with same MAC address.

 

If you're really sure you want to do this, then grab a sample CSV from ClearPass and add 'mpsk' and 'mpsk_enable' fields to that (not sure if mpsk_enable was already there). Set mpsk_enable to 1 for obvious reasons and then mpsk field is your PSK. 

Hi pubjohndoe,

Thanks for the reply. I agree, it's not great for security. More of an educational excercise right now.

Thanks very much!

Steve

1:many is an administratively controlled rule. For example, you could say that all devices profiled as X can use the same PSK. 

 

This is not recommended, however, as the device needs network access to be profiled. It's a bit of a race condition.

 

Only 1:1 with device registration is recommended.

Hi Would you be able to share your config for this please, we are trying to create a 1:many mpsk assigned at role level and I'm struggling a little a bit.

Thanks
Ben
Original Message:
Sent: Mar 25, 2019 03:15 AM
From: Melvin Fleiser
Subject: Clearpass MPSK: group PSK ?

aaah ok, i have it set up in Policy Manager now, was trying to do it all in Guest before.

 

Can you please expand on the limitations you mentioned and why 1:1 is recommended?

 

So far it looks like I'll be able to do the followng with no issues (not yet tested)

1. Create new device role_id 'Camera' and 'Printer' in [Guest Roles], make them available in Device Registration form
2. Set up a MPSK service that returns the Aruba-MPSK-Passphrase attribute for the appropriate role_id
3. Return the matching Aruba-User-Role alongside the Aruba-MPSK-Passphrase