Security

Reply
Occasional Contributor II

MPSK, users in LDAP

Hi, we'd like to configure MPSK for IoT devices but wouldn't like to configure all those users in the CPPM device database. All the devices are already in our LDAP directory, is it possible to pull information from there to use with MPSK?

 

With Cisco we just return two avpairs, psk-mode=ascii and psk from the LDAP and it works great but how would we do this with Aruba? Have to say that the documentation is very "light" on this MPSK :)

Super Contributor I

Re: MPSK, users in LDAP

In theory this is possible. Are the devices registered in the LDAP database based on the MAC address?
The MPSK by default will be fetched from the Device repository using the following value. %{Authorization:[Guest Device Repository]:Device MPSK}

When you change this to the LDAP database this should work. However, I see that changing the Aruba-MPSK-Passphrase is not possible.
With some tricks it's maybe possible to change this but looks like this sadly is not supported.

If say a feature request...

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: MPSK, users in LDAP

Yep, all the devices are in LDAP and there are attributes for the MAC and for PSKs used in the Cisco environment we could use with Aruba too.

 

Just wondering how the WLAN controller sees the authentication when MPSK is used, Clearpass is flexible so we probably could send a similar RADIUS packet back to the controller if we knew how it looks like

Super Contributor I

Re: MPSK, users in LDAP

Just send back the radius attribute Aruba-MPSK-Passphrase. This is included in the latest ClearPass releases.
If you are using ClearPass 6.8 there is a service wizard for MSPK

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: MPSK, users in LDAP

I'll give that a try, thanks. Do I need something configured on the WLAN controller for the MPSK feature to work?

 

Edit: hmm seems that you need to return the passphrase in encrypted format, I wonder what is the correct format for that

 

Super Contributor I

Re: MPSK, users in LDAP

https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/content/arubaframestyles/mac_authentication/mpsk.htm

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Guru Elite

Re: MPSK, users in LDAP

1:1 MPSK uses Device Registration. No other configuration is supported.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: MPSK, users in LDAP

oh that's bad, it would be really useful with all the IoT we have here. Would it be possible to download those from LDAP server to our device database?

Guru Elite

Re: MPSK, users in LDAP

LDAP was really never designed for devices. You could use the REST API to bulk import.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: MPSK, users in LDAP

I'll try this, we're giong to update CPPM tomorrow to 6.8 and then try to import the users from LDAP directory

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: