Security

I have a customer that likes the MPSK feature, but wants it where each user account (in cp:guest) has the sam PSK for each of their registered devices. I know how conceptually this should be implemented - send the PSK back that is configured for that account when the device MAC Auths - but I am having a heck of a time with the query. I have put in a new field for the Guest User Account - called user_mpsk - and am able to write it there fine.

How can I get the value from the Guest User Account, when I am mac-auth’ing against the Guest Devices database? I can find the sponsor_name for the device… but how do I call to Guest User when authorization doesn’t pull the details for the User since it is the MAC of the device that is the user id?

Does this make sense?

I was trying to write a Filter Query under the Guest User Database to be able to pull the info out but my SQL skill is not good enough.
Alternatively, I could try to store a value for each endpoint that is their MPSK, as a post-auth endpoint update action. Then future auth requests would see that value. But that seems the wrong way about it.

How can I achieve this in a scalable way, with the value coming from CP:Guest User Account attributes?

Many thanks in advance!

That is not how the feature is designed in ClearPass, so your mileage may vary.

Design is one unique key per device, and for IoT devices only, not for user devices which may suffer mac randomization and result in unexpected authentication failures.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 12, 2022 09:48 PM
From: Ryan Higgins
Subject: MPSK per-user, Query Questions

I have a customer that likes the MPSK feature, but wants it where each user account (in cp:guest) has the sam PSK for each of their registered devices. I know how conceptually this should be implemented - send the PSK back that is configured for that account when the device MAC Auths - but I am having a heck of a time with the query. I have put in a new field for the Guest User Account - called user_mpsk - and am able to write it there fine.

How can I get the value from the Guest User Account, when I am mac-auth'ing against the Guest Devices database? I can find the sponsor_name for the device… but how do I call to Guest User when authorization doesn't pull the details for the User since it is the MAC of the device that is the user id?

Does this make sense?

I was trying to write a Filter Query under the Guest User Database to be able to pull the info out but my SQL skill is not good enough.
Alternatively, I could try to store a value for each endpoint that is their MPSK, as a post-auth endpoint update action. Then future auth requests would see that value. But that seems the wrong way about it.

How can I achieve this in a scalable way, with the value coming from CP:Guest User Account attributes?

Many thanks in advance!

I have this working where I have the client manually enter the MPSK value into a special attribute stored with the device entry. This worked well.

For your statement of the randomized MAC addresses, isn’t this just the case for the Private MAC address on iOS/Android? I thought I saw that once they choose the MAC for their SSID connection, they maintain that MAC until the network is forgotten - right? That is known by the customer and is okay with them, if that is how it is functioning.

If, alternatively, devices rotate through different Private MAC addresses regularly, how would this MPSK solution ever function correctly?

---------------------------------
ryh
---------------------------------



Original Message:
Sent: Nov 14, 2022
From: Herman Robers
Subject: RE: MPSK per-user, Query Questions

That is not how the feature is designed in ClearPass, so your mileage may vary.

Design is one unique key per device, and for IoT devices only, not for user devices which may suffer mac randomization and result in unexpected authentication failures.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 12, 2022 09:48 PM
From: Ryan Higgins
Subject: MPSK per-user, Query Questions

I have a customer that likes the MPSK feature, but wants it where each user account (in cp:guest) has the sam PSK for each of their registered devices. I know how conceptually this should be implemented - send the PSK back that is configured for that account when the device MAC Auths - but I am having a heck of a time with the query. I have put in a new field for the Guest User Account - called user_mpsk - and am able to write it there fine.

How can I get the value from the Guest User Account, when I am mac-auth'ing against the Guest Devices database? I can find the sponsor_name for the device… but how do I call to Guest User when authorization doesn't pull the details for the User since it is the MAC of the device that is the user id?

Does this make sense?

I was trying to write a Filter Query under the Guest User Database to be able to pull the info out but my SQL skill is not good enough.
Alternatively, I could try to store a value for each endpoint that is their MPSK, as a post-auth endpoint update action. Then future auth requests would see that value. But that seems the wrong way about it.

How can I achieve this in a scalable way, with the value coming from CP:Guest User Account attributes?

Many thanks in advance!

It doesn't/won't and it does depend on how the device is configured.  Some versions of Android let you randomize each time you connect to the SSID.  Apple iOS stays with the same MAC until you forget the SSID.  The only real solution to this is to use an MDM.
Original Message:
Sent: Nov 14, 2022 02:39 PM
From: Ryan Higgins
Subject: MPSK per-user, Query Questions

I have this working where I have the client manually enter the MPSK value into a special attribute stored with the device entry. This worked well.

For your statement of the randomized MAC addresses, isn't this just the case for the Private MAC address on iOS/Android? I thought I saw that once they choose the MAC for their SSID connection, they maintain that MAC until the network is forgotten - right? That is known by the customer and is okay with them, if that is how it is functioning.

If, alternatively, devices rotate through different Private MAC addresses regularly, how would this MPSK solution ever function correctly?

---------------------------------
ryh

Original Message:
Sent: Nov 14, 2022
From: Herman Robers
Subject: RE: MPSK per-user, Query Questions

That is not how the feature is designed in ClearPass, so your mileage may vary.

Design is one unique key per device, and for IoT devices only, not for user devices which may suffer mac randomization and result in unexpected authentication failures.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 12, 2022 09:48 PM
From: Ryan Higgins
Subject: MPSK per-user, Query Questions

I have a customer that likes the MPSK feature, but wants it where each user account (in cp:guest) has the sam PSK for each of their registered devices. I know how conceptually this should be implemented - send the PSK back that is configured for that account when the device MAC Auths - but I am having a heck of a time with the query. I have put in a new field for the Guest User Account - called user_mpsk - and am able to write it there fine.

How can I get the value from the Guest User Account, when I am mac-auth'ing against the Guest Devices database? I can find the sponsor_name for the device… but how do I call to Guest User when authorization doesn't pull the details for the User since it is the MAC of the device that is the user id?

Does this make sense?

I was trying to write a Filter Query under the Guest User Database to be able to pull the info out but my SQL skill is not good enough.
Alternatively, I could try to store a value for each endpoint that is their MPSK, as a post-auth endpoint update action. Then future auth requests would see that value. But that seems the wrong way about it.

How can I achieve this in a scalable way, with the value coming from CP:Guest User Account attributes?

Many thanks in advance!