Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MPSK, users in LDAP

This thread has been viewed 7 times

  • 1.  MPSK, users in LDAP

    Posted Jun 24, 2019 05:05 AM

    Hi, we'd like to configure MPSK for IoT devices but wouldn't like to configure all those users in the CPPM device database. All the devices are already in our LDAP directory, is it possible to pull information from there to use with MPSK?

     

    With Cisco we just return two avpairs, psk-mode=ascii and psk from the LDAP and it works great but how would we do this with Aruba? Have to say that the documentation is very "light" on this MPSK :)



  • 2.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 05:28 AM
    In theory this is possible. Are the devices registered in the LDAP database based on the MAC address?
    The MPSK by default will be fetched from the Device repository using the following value. %{Authorization:[Guest Device Repository]:Device MPSK}

    When you change this to the LDAP database this should work. However, I see that changing the Aruba-MPSK-Passphrase is not possible.
    With some tricks it's maybe possible to change this but looks like this sadly is not supported.

    If say a feature request...


  • 3.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 05:48 AM

    Yep, all the devices are in LDAP and there are attributes for the MAC and for PSKs used in the Cisco environment we could use with Aruba too.

     

    Just wondering how the WLAN controller sees the authentication when MPSK is used, Clearpass is flexible so we probably could send a similar RADIUS packet back to the controller if we knew how it looks like



  • 4.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 07:38 AM
    Just send back the radius attribute Aruba-MPSK-Passphrase. This is included in the latest ClearPass releases.
    If you are using ClearPass 6.8 there is a service wizard for MSPK


  • 5.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 07:51 AM

    I'll give that a try, thanks. Do I need something configured on the WLAN controller for the MPSK feature to work?

     

    Edit: hmm seems that you need to return the passphrase in encrypted format, I wonder what is the correct format for that

     



  • 6.  RE: MPSK, users in LDAP



  • 7.  RE: MPSK, users in LDAP

    EMPLOYEE
    Posted Jun 24, 2019 08:47 AM

    1:1 MPSK uses Device Registration. No other configuration is supported.



  • 8.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 08:48 AM

    oh that's bad, it would be really useful with all the IoT we have here. Would it be possible to download those from LDAP server to our device database?



  • 9.  RE: MPSK, users in LDAP

    EMPLOYEE
    Posted Jun 24, 2019 08:53 AM
    LDAP was really never designed for devices. You could use the REST API to bulk import.


  • 10.  RE: MPSK, users in LDAP

    Posted Jun 24, 2019 08:55 AM

    I'll try this, we're giong to update CPPM tomorrow to 6.8 and then try to import the users from LDAP directory



  • 11.  RE: MPSK, users in LDAP

    Posted Nov 04, 2019 04:18 PM

    After a while we've updated controller + ClearPass to support MPSK.

     

    We have our users in a database. However seems I'm unable to edit the return value field for Aruba-MPSK-Passphrase, it just lets me either to generate new in profile or take one from the ClearPass Device.

     

    I'd not rather keep second copy of the device in ClearPass Guest, is it possible to change the return value to something else?