cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iPSK - 26.5+

Kind of a big deal
24 REPLIES 24
Kind of a big deal

Re: iPSK - 26.5+

Upgraded my lab to 26.5 just now and there she blows !

 

test22222.jpg

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal

Re: iPSK - 26.5+

Nice! Thanks for the share @NolanHerring 

Kind of a big deal

Re: iPSK - 26.5+

OMG.  This is going to be incredibly usefull.  I feel a whole lot of FreeRadius installs coming up.

Getting noticed

Re: iPSK - 26.5+

upgraded -> configured -> working fine  with ISE 🙂

Kind of a big deal

Re: iPSK - 26.5+

Thanks a lot for the share! Starting to like this one a lot currently.

 

From my point of view, one thing is half-way missing if you want to use group policies from that document. At least it's not shown:

 

"Creating Authorization Profiles for Each PSK with Group Policy Assignment

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles

  2. Click add and create at least 1 PSK Authorization Profile. In this example, PSK1 is used and 'PSK1' is returned as the dashboard group policy to apply to the client via Filter-ID."

 

In a nutshell, the attribute being used in the AuthZ Profile is "ACL (Filter-ID)"? Has somebody tested this?

 

EDIT: Found the answer here https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

Kind of a big deal

Re: iPSK - 26.5+

OK guys, unfortunately I‘ll have to disturb again. Had the chance to play around with it and ran into an issue I‘m unable to solve currently:

 

  • Client is being authenticated by ISE, policy („Guest“) is correctly applied. At least I can see the 802.1x applied policy on the client detail page
  • Corresponding group policy contains a specific VLAN tag (Guest VLAN) as well as L3 firewall rules that prevent the client to access LAN segments
  • Although the client is successfully connected, DHCP (provided by an MX that‘s the default gateway for the Guest VLAN) isn‘t successful. Configuring a static IP leads to expected network connectivity though

 

As you can see, I‘m currently stuck with finding out why DHCP won‘t work in this case. Using the Guest VLAN directly, DHCP is working flawlessly. Any hints would be highly appreciated.

Kind of a big deal

Re: iPSK - 26.5+

>Corresponding group policy contains a specific VLAN tag (Guest VLAN) as well as L3 firewall rules that prevent the client to access LAN segments

 

You can pass a VLAN tag, but you can not pass firewall rules.  You can pass Filter-Id to specify a group policy that contains firewall rules.

 

If you look at the dashboard, do they show as having been dropped into the correct VLAN?

Kind of a big deal

Re: iPSK - 26.5+

Thanks for chiming in Philip!

 

Just to clarify: The Filter-ID attribute contains a specific Group Policy „Guest“. This group consists of firewall rules and is also passing the VLAN ID for the guest network. Isn‘t it meant to be this way?

 

However: looking at the dashboard, I can see the Group Policy is being applied by 802.1x for this client and also the VLAN is correct. As soon as I‘m manually configuring an IP address from the guest VLAN, everything starts working flawlessly as expected.

DHCP also doesn‘t work in this case if I‘m trying to manually renewing the IP in this case. Using the Guest SSID directly, DHCP works out of the box though.

 

EDIT: Strangely enough, using a „fresh“ SSID for that (same settings) everything works including DHCP. Guess I simply messed up somewhere else.

Kind of a big deal

Re: iPSK - 26.5+

>Isn‘t it meant to be this way?

 

Yes that is a valid method.  Yes it sounds like something might be wrong with that specific SSID if creating a new one works.  Or maybe the AP needs a reboot ...

Kind of a big deal

Re: iPSK - 26.5+

Please see above, my post was edited: using another SSID, everything worked out of the box. Great stuff! 😎

 

Thanks a lot for your help! 👍

 

 

MS gnome and MV gnome were here — they've been safely returned home!MS gnome and MV gnome were here — they've been safely returned home!

Getting noticed

Re: iPSK - 26.5+

How is it working exactly? You create a user in freeradius and gave the mac address with it. And then it returns an ipsk?

 

Do you know why meraki/cisco is using unique psk's based on radius instead of using the way ruckus/aerohive/cambium/mist is doing it? Then you don't need tbe radius.

 

We like to integrate the ipsk in our wiflex solution

Getting noticed

Re: iPSK - 26.5+

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.

 

Kind of a big deal

Re: iPSK - 26.5+


@Complit wrote:

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.

 


I think it kinda makes sense. The built-in functionality is really for smaller deployments. Once you go higher, you want to take away the management of that to an external system, no?

Getting noticed

Re: iPSK - 26.5+

You could also use it for big companies, schools, healthcare (room area networks),.... We have created a solution (https://wiflex.eu) for onboarding employees based on Azure/Office365/Gsuite and unique psk's. We can assign dynamically vlans based on the security group in Azure/Office365/Gsuite. And if they leave the company we delete the unique psk password. You can use this also for big companies.

 

More and more companies and schools are moving to the cloud so they don't have any in house servers, so also no radius server. And the cloud radius solutions are very expensive.

 

And what about big iot deployments? 50 is not a lot.

 

We also have secure guest solutions where we need way more than 50 unique psk's.

 

Conversationalist

Re: iPSK - 26.5+

I very much like the iPSK without Radius feature, except for the 50 limit.... Especially with the new iOS14 and Android 10 private mac (https://support.apple.com/en-us/HT211227) features, it is very important not to have to use a radius implementation based on the client's mac which will soon be forever changing. The non-radius function is great, but  we frequently see the need for iPSK in areas like MDU/Schools/Hotels where clients want individual encryption and client segmentation (personal vlan, etc..) and in these scenarios a limit of 50 is WAY to low... we need like 1000+ usually. 

 

Curious to know if anyone has had discussions with Meraki MR PMs about such use cases and had any ideas from them?

Kind of a big deal

Re: iPSK - 26.5+

>The non-radius function is great, but we frequently see the need for iPSK in areas like MDU/Schools/Hotels where clients want individual encryption and client segmentation (personal vlan, etc..) and in these scenarios a limit of 50 is WAY to low... we need like 1000+ usually. 

 

I can tell you how I handle these - I used group policy.  I either bridge the SSD to a non-existent VLAN, or a VLAN that goes nowhere.  You could also bridge it to a VLAN with a "block" group policy applied so it displays a message saying "Contact support on xxx-xxx-xxx to connect this device".

Then I use group policy to override the VLAN and place the device in the actual VLAN I want them to be in.

 

Splash Access make a great system for both Hotels and schools.  The School solution uses IPSK but includes a portal to allow students to self onboard devices (including PS4s, and other devices of theirs).

https://www.splashaccess.com/portfolio-item/private-psk-ipsk-cisco-meraki/ 

 

 

IMHO, these vertical markets are much better served using specialised solutions like Splash Access, rather than Meraki trying to build in support for every market vertical out there.

New here

Re: iPSK - 26.5+

So if I have 1 PSK for 100 Chromebooks, that will work, but I can't have 100 unique PSK's. one for each Chromebook? Seems the language can be worded better in documentation. 

Head in the Cloud

Re: iPSK - 26.5+


@MrRoboto wrote:

So if I have 1 PSK for 100 Chromebooks, that will work, but I can't have 100 unique PSK's. one for each Chromebook? Seems the language can be worded better in documentation. 


It depends. This discussion is talking about both iPSK with and without RADIUS. For iPSK with RADIUS you can have as many PSKs as you want. Just with "iPSK without RADIUS" you can "only" have 50 PSKs. And by the way, that's 10 times the amount of PSKs that can be configered on the Cisco Catalyst 9800 WLC ... 😉

Getting noticed

Re: iPSK - 26.5+

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard  on the latest versions of Android and IOS.

Head in the Cloud

Re: iPSK - 26.5+


@Complit wrote:

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard  on the latest versions of Android and IOS.


But this process always needs some form of "onboarding" and while that you can disable randomisation or tell the users to disable it. Yes, without randomisation it would be easier and some users will need more help to get to the network. But all in all, I don't see a big problem in that.

Did you have a worse experience with it?

Getting noticed

Re: iPSK - 26.5+

For byod purposes it brings a lot more work. You need to set up a free radius server and all your employees need to give in the mac addresses of all there devices + need to deactivate the mac randomisation. I see a lot of support tickets :-D. 

 

I don't understand why they limit the ipsk without mac on 50.

 

Other vendors can do 5000 or unlimited.

 

We have a solution linked to Azure/Office365 and Google Gsuite. They login, they get a ipsk/ppsk/dpsk in the right vlan. If they leave the company we delete the ipsk/ppsk/Dpsk. For easy onboarding we also create a qr code.

Conversationalist

Re: iPSK - 26.5+

Easy work around to this!

 

Just tell your RADIUS server to accept any mac address! There is no need to match the iPSK to a specific mac address, so just do a lookup to confirm the ipsk, not the mac address, and you are all set. This is actually how other vendors work in the background (Ruckus DPSK via Cloudpath, etc)

Kind of a big deal

Re: iPSK - 26.5+

This example also shows how to specify a default PSK using FreeRadius.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication 

Head in the Cloud

Re: iPSK - 26.5+

I think @Complit is talking about the "iPSK without RADIUS"-feature. There he wants to have more different PSKs as with RADIUS, he already could have 5000+ PSK now.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.