Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MPSK not working

This thread has been viewed 29 times

  • 1.  MPSK not working

    Posted Feb 26, 2020 08:45 AM

    I tried to setup MPSK, but this doesn't seem to work. Basically I just ran the WLAN wizard (AOS 8.5.0.4) and created a new SSID. I pointed the Radius to an existing servergroup that is also used for 802.1x. In clearpass (8.6) I also just used the wizard to create a MPSK service. Everything looks ok, but when a client connects to the SSID it fails and I can't see the connection attempt in Clearpass (filtered on mac-adres). Is there anywhere an option that has to be enabled in order to let it work? Looks like the wireless controller is not calling the clearpass server.



  • 2.  RE: MPSK not working

    MVP EXPERT
    Posted Feb 26, 2020 08:59 AM

    What does your controller config look like? If there is an existing dot1x service defined this suggests that WLC <-> CPPM communication is correct.


    Did you configure the MAC Authentication Server Group/RADIUS Accounting Server Group/RFC 3576 Server under the AAA Profile?



  • 3.  RE: MPSK not working

    Posted Feb 26, 2020 09:00 AM
    Did you registered the device in the guest device repository ? if so, did you enable the MPSK field?
    Sent from Mail for Windows 10


  • 4.  RE: MPSK not working

    Posted Feb 26, 2020 10:23 AM

    I did register the device and enable MPSK. Nevertheless I would expect to see the radius request in clearpass whether it's succesfull or not. I don't see it.

     

    The wizard created a new server group. I just added 2 existing working clearpass servers to this group. In the AAA profile that was also created by the wizard, I see this group is bound to 802.1x auth server group. No binding to MAC nor accounting



  • 5.  RE: MPSK not working
    Best Answer

    MVP EXPERT
    Posted Feb 26, 2020 10:34 AM
    Add the MAC and accounting too.

    https://community.arubanetworks.com/t5/Security/Setting-up-MPSK-for-headless-IoT-devices/td-p/522858


  • 6.  RE: MPSK not working

    MVP EXPERT
    Posted Feb 26, 2020 01:58 PM

    Craig is right, please enable mac-auth in your aaa profile. Below an example.

     

    image.PNG

     



  • 7.  RE: MPSK not working

    Posted Feb 27, 2020 12:26 PM

    Setting mac auth in the AAA profile did fix the issue. Thx for all replies. I suppose this is a bug in AOS since the MPSK wizard only sets the 802.1x profile? I can also understand why mac auth would be possible, but why is 802.1x needed?



  • 8.  RE: MPSK not working

    MVP EXPERT
    Posted Feb 27, 2020 03:23 PM

    Hi Davypriem,

     

    It is not a bug but a configuration step that need to be taken.

     

    Actually MPSK is an 802.1x request that send the mac-address in the "Radius:IETF:User-Name" attribute field. ClearPass process this against the MPSK service and check this mac-address against the guest device repository. After all ClearPass will answer with an 802.1x reply to the controller, this hold the Radius:Aruba:Aruba-MPSK-Passphrase that the controller will used to authenticated the clients WPA2 Passphrase.

     

    Hopefully this answered your question.