Skip to main content

Identity PSK ( iPSK)

With the evolution of IoT (Internet of Things), devices that connect wirelessly have increased many folds. From webcams, Smartwatches, fitness bands, firestick, Alexa, Google Home, and many more.., everything is going wireless for connectivity and so does the security threat. The main concern with IoT devices is the unavailability of the full wireless protocol stack (and in the majority of devices, support of 802.1x is not available). So, previously we only have the WPA-PSK option for connecting the IoT devices. 

In WPA*-PSK (WPA or WPA2) WLAN, a Pre-Shared Key (PSK) is configured and distributed to all the clients that connect to the WLAN. This leads to PSK leakage, and it can be accessible to unauthorized users (due to the nature of common PSK across all the devices). 

Therefore, there was a need to provision unique PSK or Multiple PSK per SSID. Identity-PSKs are unique pre-shared keys created for clients/groups on the same WLAN.

Features of iPSK:- 

1.Unique PSK for individual Client/Groups.

2.Easy to revoke the PSK, if gets compromised without affecting the other groups.

3. Easy to track down and mitigate the affected PSK group.



PSK ConnectivityFig-1 shows the traditional PSK where SSID “PSK” is having the Pre-Shared Key as “Prekey@123” and is distributed to all devices connecting to it.




iPSK Connectivity

Fig-2 showing the SSID “iPSK” configured and different devices are being connected to the same SSID iPSK with individual keys.



Pre-requisites for Identity PSK in CISCO environment

  1. Wireless LAN controller (version 8.5 or later)
  2. Identity services engine (version 2.2 or later)
  3. Lightweight Access point
  4. Identity PSK WLAN



Fig-3 showing the flow of iPSK WLAN and the necessary configuration on WLC and Radius.




Implementing iPSK in Cisco wireless environment:-



Configuration of WLC


Step1-  Addition of Radius Server. Go to  Security>AAA>Radius Authentication. (i.e., adding details of ISE, which is a radius server in this example)


Step2-  Creation of Identity PSK WLAN


Step3-  Edit WLAN, Layer-2 choose WPA2 Policy>PSK and check MAC Filtering




Step4-  Choose Radius (ISE) Server under Security>AAA Servers


Step5-  Check Allow AAA Override under WLAN Advanced









Now, we have two scenarios --

i. Separate PSK for individual mac address

ii. Common PSK for a group of devices and multiple device groups across a single WLAN 


Case1-  Creation of Authorisation policy based on individual MAC addresses       



Configuration on Radius (ISE)


Step1-   Adding NAD (Network Access Device) like WLC. Go to Administration>Network Resources>Network Devices>Click Add.


Step2-  Create an authorization profile under Policy>Policy Elements>Results>Authorisation Profiles.




Step3-  Create Authorisation rule for individual users on basis of MAC address 









Case2-  Creation of Authorisation policy based on device groups


Step1-  Create different endpoint groups for a set of different devices under Administration>Groups>Endpoint Identity Groups


Step-2  Create different Authorisation Profiles for different device groups under Policy>Policy Elements>Authorization>Authorization Profiles



Devices having MAC addresses under group G1 will have to connect with WLAN-iPSK with key=”nkn@1234” and Devices MAC addresses under group G2 will have to connect with WLAN-iPSK with key=” Tech#123”


Step-3  Creation of separate Authorization profiles under Policy>Authorization




Happy Browsing 😊










 


 

















Labels:

Popular posts from this blog

Availability of 5 GHz WLAN Channels in India under unlicensed band

Availability of 5 GHz WLAN Channels in India under unlicensed band  In India, Wireless Planning and Coordination Wing of Department of Telecom, under Ministry of Communication takes care of licensing of radio frequencies.  In the latest National Frequency allocation plan 2018 (https://dot.gov.in/sites/default/files/NFAP%202018.pdf), Government of India (GoI), exempted the licensing requirements of the following radio frequency ranges for wireless usage and a gazette notification has also published for this (https://dot.gov.in/sites/default/files/License%20Exemption%20in%205%20GHz%20G_S_R_1048%28E%29%20dated%2022nd%20October%2C%202018_0.pdf)  -- 1.  5150-5250 2. 5250-5350 3. 5470-5725 4. 5725-5875 References
Read more

Summary report of APNIC 55 (APRICOT 2023) Meeting held in Manila, Philippines

APNIC Logo The APNIC 55 meeting was held in Manila, Philippines from 20th Feb to 02nd March 2023. The meeting was hosted by PhNOG, The Philippine Network Operators Group (PhNOG) and supported by DOST- Advanced Science and Technology Institute. Every year, APNIC conferences are held twice, the first of each year is held in conjunction with APRICOT and the second one is a standalone conference. The last such meeting held in India was in 2012, APNIC 33 (which was in conjunction with APRICOT 2012).  APNIC 55 meeting was unique in multiple senses –  i. Firstly, because of the possibility of potential hijack [1] [2][3] of the APNIC Executive Council by Cloud Innovation Ltd. / Larus foundation / NRS, the same organizations which have dragged AFRINIC (RIR for African Continent) into the Mauritius supreme court and at one point nearly halted the AFRINIC operations by getting its bank accounts frozen (over 25 lawsuits have been filed against AFRINIC by Cloud Innovation Ltd.). Number
Read more