During client authentication, the AAA server would authorize the client mac address and send the passphrase (if configured) as part of the Cisco-AVPair list. The WLC would receive this as part of the radius response and would process this further for the computation of PSK.

When the client sends association request to the SSID broadcasted by the access point, the Wireless LAN Controller forms the RADIUS request packet with the particular mac address of the client and relays to the RADIUS server.

The RADIUS server performs the authentication and checks whether the client is allowed or not and sends either ACCESS-ACCEPT or ACCESS-REJECT as response to the WLC.

To support Identity PSK, in addition to sending the authentication response, the authentication server would also provide the AV Pair passphrase for this specific client. This is used further for the computation of PSK.

The RADIUS server could also provide additional parameters such as username, VLAN, QoS, etc in the response, that is specific to this client. For multiple devices that is owned by a single user, the passphrase could remain the same.

Just like AVC, mDNS or Open DNS profile can be mapped to a local policy for a client with a particular device type.IPSK also can be combined with Local policies on the controller and mapped to a specific WLAN. When configuring the AV-pair=PSK-mode and PSK-password on the AAA server such as ISE, admin can easily add another AV-pair=role for example for a teacher or a student group and then configure a Local policy to that specific Role.Each local policy can be configured with a different profile name, ACL, Role, Device Type and even Active Hours based on the AAA override to restrict/permit the policy from being able to use/deny the services not allowed by the profile on the same WLAN.

When combining IPSK and Local Policies on the same WLAN the use cases can be unlimited and open to many different deployment scenarios.

For example on campus admin can configure a use case where students have to login with IPSK and then apply local policy that only those students belonging to the group Students can access specific applications at certain bandwidth on specific device and during specific time. There practically unlimited set of capabilities and tweaks available when combining the two.

Cisco currently offers a rich set of features which provide device identification,on boarding,posture,and policy,through ISE. This new feature on the WLC does the profiling of devices based on protocols such as HTTP, DHCP, and so on to identify the end devices on the network.The user can configure the device-based policies and enforce per user or per device policy on the network.The WLC will also display statistics based on per user or per device end points and policies applicable per device.

With BYOD (Bring your own device), this feature has an impact on understanding the different devices on the network. With this, BYOD can be implemented on a small scale within the WLC itself.

In this section, we will be configuring and implementing Profiling and Policy on a Cisco WLC running AireOS8.5 code.

The profiling and policy enforcement will be configured as two separate components. The configuration on theWLC is based on defined parameters specific to clients joining the network with IPSK security as configured in the previous sections. The policy attributes which are of interest are:

1. Role–Role defines the user type or the user group the user belongs to.

2. PSK-mode ASCII

   PSK-password–match of the specific PSK password with the device MAC address

   For example: Student or Employee

3. Device–Device defines the type of device.

   For example: Windows machine, Smart phone, Apple device such as iPad, iPhone and so on.

4. Time of day–Allows configuration to be defined at what time of the day end-points are allowed on the network.

The above parameters are configurable as policy match attributes. Once the WLC has a match corresponding to the above parameters per end-point,the policy enforcement comes into picture. Policy enforcement will be based on session attributes such as:

• VLAN

• ACL

• Session Timeout

• QoS

• Sleeping Client

• Flexconnect ACL

• AVC profile

• mDNS profile

• Open DNS profile

• Security Group Tag

The user can configure these policies and enforce end-points with specified policies.The wireless clients will be profiled based on the MAC address, MAC OUI, DHCP, and HTTP user agent (valid Internet required for successful HTTP profiling).The WLC uses these attributes and predefined classification profiles to identify the device.

• Controller that has Mac Filtering and AAA overide enabled with ISE configured, will allow IPSK configured devices connect to WLAN with MAC addresses configured on ISE.

• Devices with MAC addresses configured on ISE will not be able to connect to WLAN generic PSK but only with IPSK configured for that device.

• Devices with no-MAC addresses configured on ISE will be able to connect to WLAN with generic PSK only.

• IPSK supports Local Mode and Flexconnect Mode (Central Authentication & Local Switching).

• IPSK supports FSR and key caching is done fo faster roams to avoid RADIUS connect on every roam.

• To enable validity of the IPSK at certain scheduled times, the time schedule/validity can be exploited using radius session-timeout attribute in radius response.

config wlan mac-filtering enable <wlanId>
config wlan aaa-override enable <wlanId>
config wlan security wpa akm psk enable <wlanId>
config wlan security wpa akm psk set-key <ascii/hex> <key> <wlanId>

The existing show command would display the configuration of the WLAN and the client.

show wlan <wlanId>
show client detail <clientMac> 

This section of the Deployment guide introduces the IdentityPSK enhanced feature with P2P blocking/bridging and provides general guidelines for its deployment. The purpose of this document is to:

• Provide an overview of 8.8 Feature

• Highlight supported iPSK with P2P blocking Features

• Provide details on deploying and managing the 8.8 Feature

Requirements

This new feature will be supported on 1800, 2800 and 3800 Wave-2 APs and on the 3504, 5520 and 8540 controllers. This feature will be supported with IPv4 and IPv6 devices in Locally and Centrally Switched Modes.

With the advent of the internet of things, the number of devices that connect to the internet is increased multifold. Not all of these devices support 802.1x supplicant and need an alternate mechanism to connect to the internet. One of the security mechanisms, WPA-PSK could be considered as an alternative. With the current configuration, the pre-shared-key is the same for all clients that connect to the same WLAN. In certain deployments such as Educational Institutions, this results in the key being shared to unauthorized users resulting in a security breach. Therefore, above mentioned and other requirements leading to the need for provisioning unique pre-shared keys for different clients on a large scale.

• Identity PSKs are unique pre-shared keys created for individuals or groups of users on the same SSID.

• No complex configuration required for clients. The same simplicity of PSK, making it ideal for IoT, BYOD, and guest deployments.

• Supported on most devices, where 802.1X may not, enabling stronger security for IoT.

• Easily revoke access, for a single device or individual, without affecting everyone else.

• Thousands of keys can easily be managed and distributed via the AAA server.

• In release 8.8 IPv6 is supported

In release 8.8 the iPSK feature is enhanced with additional capabilities requested by customers. In some instances customers wish to prevent Client or IoT devices with different or same PSK keys on the same or different WLAN from talking to each other or bridging, in other words, configure peer-to-peer (P2P) blocking or bridging. This new differentiated service has been introduced in release 8.8.

Configuration options for peer to peer blocking:

• Drop: Drop peer to peer traffic (existing option)

• Disable: Bridge peer to peer traffic (existing option)

• Up Stream: Forward up peer to peer traffic (existing option)

• Allow Private Group: Bridge devices with same Tag ( new option)

iPSK P2P Blocking Solution for AP Central Switching

As indicated above, in release 8.8, a new enhanced iPSK option was added to allow iPSK devices to be bridged or blocked.

Scenario-1: If devices connected on the same WLAN and P2P Blocking is set to Allow-Private-Group – the devices will be able to communicate to each other and Bridged if the Tags are the same based on the configuration of the ISE Authorization Profiles.

Scenario-2: If the Tags are the different, based on ISE configuration of Authorization profiles, then the client devices are blocked and cannot communicate with each other.

The two Scenarios below illustrate the communication between two devices based on their assigned tags.