I had some time to take a dive into Identity PSK using a vWLC (8.5MR6) and Microsoft NPS as RADIUS backend (Windws 2012 R2). Not because I had a particular use case but I wanted to see it working and getting the NPS part working (most examples use ISE or FreeRADIUS).
This document was my starting point:
This guide assumes you have a WLC and a NPS server up and running. First you add an extra SSID and follow the steps outlined in the Cisco Guide
- Create SSID
- Use PSK as authentication and enter the (main) PSK
- Enable MAC filtering
- Configure a RADIUS server
- Enable AAA override in the Advanced Tab
Login on your Windows server and first add a user for the device you want to connect
username : {MAC address} e.g. 0002abcd01ff
password : 0002abcd01ff
Ok now it gets tricky. The default password policy won't allow this as a password. In a lab it's not problem to disable the Password Policy (it is configured at Domain level so it has quite an impact). For production networks I'd suggest using a seperate stand alone Windows DC with NPS.
Create a Windows Group for these devices and add the new user.
Open the NPS console and add a new Network policy (assuming you already have a connection policy and added the WLC as RADIUS client).
Primary Settings
Conditions
The client should be wireless and member of the IOT group.
Constraints
Do not select any authentication methods and only select PAP authentication.
Settings
Add Vendor specific RADIUS attibutes
Cisco-AV-Pair : psk-mode=ascii
Cisco-AV-Pair : psk={preshared key}
And that's it! If you want to use several PSKs then add a different Network Policy, use a different goup in the constraints (with different members) and change the PSK RADIUS attribute under Settings. The AAA override will allow you to use a different PSK than the PSK you entered on the SSID in the WLC.
No comments:
Post a Comment