iPSK - 26.5+

NolanHerring
Kind of a big deal
24 Replies 24
NolanHerring
Kind of a big deal

Upgraded my lab to 26.5 just now and there she blows !

 

test22222.jpg

Nolan Herring | nolanwifi.com
TwitterLinkedIn
BrechtSchamp
Kind of a big deal

Nice! Thanks for the share @NolanHerring 

PhilipDAth
Kind of a big deal
Kind of a big deal

OMG.  This is going to be incredibly usefull.  I feel a whole lot of FreeRadius installs coming up.

peto
Getting noticed

upgraded -> configured -> working fine  with ISE 🙂

CptnCrnch
Kind of a big deal
Kind of a big deal

Thanks a lot for the share! Starting to like this one a lot currently.

 

From my point of view, one thing is half-way missing if you want to use group policies from that document. At least it's not shown:

 

"Creating Authorization Profiles for Each PSK with Group Policy Assignment

  1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles

  2. Click add and create at least 1 PSK Authorization Profile. In this example, PSK1 is used and 'PSK1' is returned as the dashboard group policy to apply to the client via Filter-ID."

 

In a nutshell, the attribute being used in the AuthZ Profile is "ACL (Filter-ID)"? Has somebody tested this?

 

EDIT: Found the answer here https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply...

CptnCrnch
Kind of a big deal
Kind of a big deal

OK guys, unfortunately I‘ll have to disturb again. Had the chance to play around with it and ran into an issue I‘m unable to solve currently:

 

  • Client is being authenticated by ISE, policy („Guest“) is correctly applied. At least I can see the 802.1x applied policy on the client detail page
  • Corresponding group policy contains a specific VLAN tag (Guest VLAN) as well as L3 firewall rules that prevent the client to access LAN segments
  • Although the client is successfully connected, DHCP (provided by an MX that‘s the default gateway for the Guest VLAN) isn‘t successful. Configuring a static IP leads to expected network connectivity though

 

As you can see, I‘m currently stuck with finding out why DHCP won‘t work in this case. Using the Guest VLAN directly, DHCP is working flawlessly. Any hints would be highly appreciated.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Corresponding group policy contains a specific VLAN tag (Guest VLAN) as well as L3 firewall rules that prevent the client to access LAN segments

 

You can pass a VLAN tag, but you can not pass firewall rules.  You can pass Filter-Id to specify a group policy that contains firewall rules.

 

If you look at the dashboard, do they show as having been dropped into the correct VLAN?

CptnCrnch
Kind of a big deal
Kind of a big deal

Thanks for chiming in Philip!

 

Just to clarify: The Filter-ID attribute contains a specific Group Policy „Guest“. This group consists of firewall rules and is also passing the VLAN ID for the guest network. Isn‘t it meant to be this way?

 

However: looking at the dashboard, I can see the Group Policy is being applied by 802.1x for this client and also the VLAN is correct. As soon as I‘m manually configuring an IP address from the guest VLAN, everything starts working flawlessly as expected.

DHCP also doesn‘t work in this case if I‘m trying to manually renewing the IP in this case. Using the Guest SSID directly, DHCP works out of the box though.

 

EDIT: Strangely enough, using a „fresh“ SSID for that (same settings) everything works including DHCP. Guess I simply messed up somewhere else.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Isn‘t it meant to be this way?

 

Yes that is a valid method.  Yes it sounds like something might be wrong with that specific SSID if creating a new one works.  Or maybe the AP needs a reboot ...

CptnCrnch
Kind of a big deal
Kind of a big deal

Please see above, my post was edited: using another SSID, everything worked out of the box. Great stuff! 😎

 

Thanks a lot for your help! 👍

 

 

MS gnome and MV gnome were here — they've been safely returned home!MS gnome and MV gnome were here — they've been safely returned home!

Complit
Getting noticed

How is it working exactly? You create a user in freeradius and gave the mac address with it. And then it returns an ipsk?

 

Do you know why meraki/cisco is using unique psk's based on radius instead of using the way ruckus/aerohive/cambium/mist is doing it? Then you don't need tbe radius.

 

We like to integrate the ipsk in our wiflex solution

Complit
Getting noticed

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.

 

BrechtSchamp
Kind of a big deal


@Complit wrote:

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.

 


I think it kinda makes sense. The built-in functionality is really for smaller deployments. Once you go higher, you want to take away the management of that to an external system, no?

Complit
Getting noticed

You could also use it for big companies, schools, healthcare (room area networks),.... We have created a solution (https://wiflex.eu) for onboarding employees based on Azure/Office365/Gsuite and unique psk's. We can assign dynamically vlans based on the security group in Azure/Office365/Gsuite. And if they leave the company we delete the unique psk password. You can use this also for big companies.

 

More and more companies and schools are moving to the cloud so they don't have any in house servers, so also no radius server. And the cloud radius solutions are very expensive.

 

And what about big iot deployments? 50 is not a lot.

 

We also have secure guest solutions where we need way more than 50 unique psk's.

 

Ajinks
Conversationalist

I very much like the iPSK without Radius feature, except for the 50 limit.... Especially with the new iOS14 and Android 10 private mac (https://support.apple.com/en-us/HT211227) features, it is very important not to have to use a radius implementation based on the client's mac which will soon be forever changing. The non-radius function is great, but  we frequently see the need for iPSK in areas like MDU/Schools/Hotels where clients want individual encryption and client segmentation (personal vlan, etc..) and in these scenarios a limit of 50 is WAY to low... we need like 1000+ usually. 

 

Curious to know if anyone has had discussions with Meraki MR PMs about such use cases and had any ideas from them?

PhilipDAth
Kind of a big deal
Kind of a big deal

>The non-radius function is great, but we frequently see the need for iPSK in areas like MDU/Schools/Hotels where clients want individual encryption and client segmentation (personal vlan, etc..) and in these scenarios a limit of 50 is WAY to low... we need like 1000+ usually. 

 

I can tell you how I handle these - I used group policy.  I either bridge the SSD to a non-existent VLAN, or a VLAN that goes nowhere.  You could also bridge it to a VLAN with a "block" group policy applied so it displays a message saying "Contact support on xxx-xxx-xxx to connect this device".

Then I use group policy to override the VLAN and place the device in the actual VLAN I want them to be in.

 

Splash Access make a great system for both Hotels and schools.  The School solution uses IPSK but includes a portal to allow students to self onboard devices (including PS4s, and other devices of theirs).

https://www.splashaccess.com/portfolio-item/private-psk-ipsk-cisco-meraki/ 

 

 

IMHO, these vertical markets are much better served using specialised solutions like Splash Access, rather than Meraki trying to build in support for every market vertical out there.

MrRoboto
New here

So if I have 1 PSK for 100 Chromebooks, that will work, but I can't have 100 unique PSK's. one for each Chromebook? Seems the language can be worded better in documentation. 

KarstenI
Kind of a big deal
Kind of a big deal


@MrRoboto wrote:

So if I have 1 PSK for 100 Chromebooks, that will work, but I can't have 100 unique PSK's. one for each Chromebook? Seems the language can be worded better in documentation. 


It depends. This discussion is talking about both iPSK with and without RADIUS. For iPSK with RADIUS you can have as many PSKs as you want. Just with "iPSK without RADIUS" you can "only" have 50 PSKs. And by the way, that's 10 times the amount of PSKs that can be configered on the Cisco Catalyst 9800 WLC ... 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Complit
Getting noticed

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard  on the latest versions of Android and IOS.

KarstenI
Kind of a big deal
Kind of a big deal


@Complit wrote:

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard  on the latest versions of Android and IOS.


But this process always needs some form of "onboarding" and while that you can disable randomisation or tell the users to disable it. Yes, without randomisation it would be easier and some users will need more help to get to the network. But all in all, I don't see a big problem in that.

Did you have a worse experience with it?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Complit
Getting noticed

For byod purposes it brings a lot more work. You need to set up a free radius server and all your employees need to give in the mac addresses of all there devices + need to deactivate the mac randomisation. I see a lot of support tickets :-D. 

 

I don't understand why they limit the ipsk without mac on 50.

 

Other vendors can do 5000 or unlimited.

 

We have a solution linked to Azure/Office365 and Google Gsuite. They login, they get a ipsk/ppsk/dpsk in the right vlan. If they leave the company we delete the ipsk/ppsk/Dpsk. For easy onboarding we also create a qr code.

Ajinks
Conversationalist

Easy work around to this!

 

Just tell your RADIUS server to accept any mac address! There is no need to match the iPSK to a specific mac address, so just do a lookup to confirm the ipsk, not the mac address, and you are all set. This is actually how other vendors work in the background (Ruckus DPSK via Cloudpath, etc)

PhilipDAth
Kind of a big deal
Kind of a big deal

This example also shows how to specify a default PSK using FreeRadius.

https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication 

KarstenI
Kind of a big deal
Kind of a big deal

I think @Complit is talking about the "iPSK without RADIUS"-feature. There he wants to have more different PSKs as with RADIUS, he already could have 5000+ PSK now.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.