Security

Reply

Setting up MPSK for headless/IoT devices

Use Case:
The following is the use case addressed in this post.
The users access the Device Registration page using their Active Directory credentials and registers their headless/IoT devices.
The Multi Pre-Shared Key is sent via email to the user.
The user then connects his headless/IoT devices using the MPSK provided.

 

Requirements:

ArubaOS 8.4.0.0+

Clearpass 6.8+

 

How to Configure:

Create a new Operator Profile:

Create a new operator profile “Student” with access for managing devices on a network. Also select the user roles against which they can register their devices.

Clearpass Guest -> Administration -> Operator Logins -> Profilesoperator profile.png

 

Create service to handle the user’s access to the Device Registration page using the Active Directory credentials:

Enforcement policy controlling access to Device Registration page will return "admin_privileges = Student"Operator login serivce.jpg

 

Create service to authenticate devices using an Aruba MPSK:

To configure MPSK on Clearpass use the service template "Aruba Wireless with MPSK"

Configuration -> Service Templates & Wizards -> Aruba Wireless with MPSK

Enter the prefix, Wireless device details, device roles (Tags) and finally map the tags to actual Aruba user-role. Please refer the screenshots below.MPSK Service.jpg

 

The following are returned as a part of the enforcement profile.

  • Aruba user-role,
  • Device's assigned MPSK that was generated automatically during Device Registration
  • Guest Device repository sponsor name (In this case will be the AD username)

Enforcement Profile.jpg

 

Make the Device Registration Page forms, MPSK aware:

Clearpass Guest -> Administration -> Aruba Integrations -> MPSK Configuration

In 'Deployment Mode', select the Radio button 'Always generate unique device WiFi passwords' and save configuration.Make Page MPSK aware.jpg

 

Setup the SMTP Server:

This will enable the MPSK receipt to be sent to the user, who is registering his device.

Configure SMTP server at Clearpass -> Administration -> External Servers -> Messaging Setup.

For more details refer the below post.

https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Sending-Emails-from-ClearPass-with-Gmail/gpm-p/427050

 

Controller Configuration:

Just use the Wizard

Managed Networks -> Select the hierarchy you want -> Configuration -> WLAN -> +

In the ‘Security tab’, Select WPA2-Personal -> ‘Use Aruba MPSK’ and associate Clearpass Server to it.Controller Config.jpg

Create the user roles that are returned to controller under

Configuration -> Roles and Policies -> Roles -> +

 

Ensure the following parameters of AAA profile have the right server group associated.

  • MAC Authentication Server Group
  • RADIUS Accounting Server Group
  • RFC 3576 Server

 

Demo:

Access the Device Registration Page and login using your AD credentials.

https://clearpass.arubatechs.com/guest/auth_login.php

Once you logged in, register your device by clicking on “Create Device”

Create Device.jpg

You will receive an email.Email.jpg

Now connect your media player to the SSID “IOT” using the MPSK provided in the email.

 

Controller Dashboard:

The media player is associated under the AD username ‘kerampu’ctlr dashboard.jpg

 

Clearpass Access Tracker:Clearpass Access Tracker.jpg

Hope you find this post useful. Please share your feedback.

New Contributor

Re: Setting up MPSK for headless/IoT devices

Thank you so much Kapil for writing this document and explaining the config in steps. Here at the University of Sydney there is a great demand for IOT devices. We wanted a similar solution which takes into account 1 SSiD but unique passwords per device and MPSK is something we can leverage. We have Cisco controllers and AP but we use Aruba CP server so I will conduct a POC on MPSK feature. If it works as intended, this feature will go into production and serve 1000's of IOT devices across USYD main campus and WAN sites. Once again thank you.

 

Cheers

Tariq

Senior Network Engineer at USYD

Occasional Contributor II

Re: Setting up MPSK for headless/IoT devices

Thanks for this guide, its great !

Just wondering where (physically) in the network the MPSK is valid. Can the user authenticate with ANY Access Point or just a specific group of Access Points ?

I would see this service being useful to large campus network, but surely from a scaling point of view you would limit the MPSK to a spefic number of locations revevent to each user ?

However, I don't see where in the configuration this might be enabled ?

 

Also, anyone using this in production as yet ?

Guru Elite

Re: Setting up MPSK for headless/IoT devices

You could, but that's an admin configuration and would become difficult to maintain.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Setting up MPSK for headless/IoT devices

Thanks Tim

So the "standard" configuration is that MPSK is available for the entire campus ? Does that scale out ok......e.g. hundreds or thousands of MPSK across a campus ?

Guru Elite

Re: Setting up MPSK for headless/IoT devices

Yes, it's a 1:1 model.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: Setting up MPSK for headless/IoT devices

Said another way, the APs do not store/sync the MPSKs.  A query is done and ClearPass responds.  No more overhead than MAC Authentication in general.

Occasional Contributor II

Re: Setting up MPSK for headless/IoT devices

Great, thanks that explains why it can scale...!

Occasional Contributor I

Re: Setting up MPSK for headless/IoT devices

Hi

 

Why isn't the sponsor email auto populated when the operator account logs in? It appears that you have enabled sponsor email as a text field, but seems to me if you login via AD you should be able to use the mail attribute or the username in email format to auto fill in the sponsor email.

 

Thanks

Andrew

Guru Elite

Re: Setting up MPSK for headless/IoT devices

You need to send back the mail attribute in your operator service. It can’t always be assumed that the username is the email address.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: