privatepsk · privatepsk •informationaboutprivatepresharedkey,onpage1...

Click here to load reader

Post on 25-Mar-2020

2 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Private Shared Key

    • Information About Private Preshared Key, on page 1• Configuring a PSK in a WLAN (CLI), on page 2• Configuring a PSK in a WLAN (GUI), on page 3• Applying a Policy Profile to a WLAN (GUI), on page 3• Applying a Policy Profile to a WLAN (CLI), on page 3• Verifying a Private PSK, on page 4

    Information About Private Preshared KeyWith the advent of Internet of Things (IoT), the number of devices that connect to the internet has increasedmultifold. Not all of these devices support the 802.1x supplicant and need an alternate mechanism to connectto the internet. One of the security mechanisms, WPA-PSK, could be considered as an alternative. With thecurrent configuration, the PSK is the same for all the clients that connect to the same WLAN. In certaindeployments, such as educational institutions, this results in the key being shared to unauthorized users leadingto security breach. This necessitates the need to provision unique PSKs for different clients on a large scale.

    Identity PSKs are unique PSKs created for individuals or groups of users on the same SSID. No complexconfiguration is required for the clients. It provides the same simplicity of PSK, making it ideal for IoT, Bringyour own device (BYOD), and guest deployments.

    Identity PSKs are supported on most devices, in which 802.1X is not, enabling stronger security for IoT. Itis possible to easily revoke access, for a single device or individual without affecting everyone else. Thousandsof keys can easily be managed and distributed through the AAA server.

    IPSK Solution

    During client authentication, the AAA server authorizes the client MAC address and sends the passphrase (ifconfigured) as part of the Cisco-AV pair list. The Cisco Wireless Controller (WLC) receives this as part ofthe RADIUS response and processes this further for the computation of PSKs.

    When a client sends an association request to the SSID broadcast by the corresponding access point, thecontroller forms the RADIUS request packet with the particular mac address of the client and relays to theRADIUS server.

    The RADIUS server performs the authentication and checks whether the client is allowed or not and sendseither ACCESS-ACCEPT or ACCESS-REJECT as response to the WLC.

    Private Shared Key1

  • To support Identity PSKs, in addition to sending the authentication response, the authentication server alsoprovides the AV pair passphrase for this specific client. This is used for the computation of the PMK.

    The RADIUS server might also provide additional parameters, such as username, VLAN, Quality of Service(QoS), and so on, in the response, that is specific to this client. For multiple devices owned by a single user,the passphrase can remain the same.

    Configuring a PSK in a WLAN (CLI)Follow the procedure given below to configure a PSK in a WLAN:

    Before you begin

    • Security should be configured for a pre-shared key (PSK) in a WLAN.

    • If there is no override from the AAA server, the value on the corresponding WLAN is considered forauthentication.

    • In Federal Information Processing Standard (FIPS) and common criteria mode, ensure that the PSKWLAN has a minimum of 15 ASCII characters, else APs won't join the controller.

    Procedure

    PurposeCommand or Action

    Enters global configuration mode.configure terminal

    Example:

    Step 1

    Device# configure terminal

    Configures the WLAN and SSID.wlan wlan-name wlan-id ssid

    Example:

    Step 2

    Device(config)# wlan test-profile 4 abc

    Disables security AKM for dot1x.no security wpa akm dot1x

    Example:

    Step 3

    Device(config-wlan)# no security wpa akmdot1x

    Configures the security type PSK.security wpa akm psk

    Example:

    Step 4

    Device(config-wlan)# security wpa akmpsk

    Configures the PSK authenticated keymanagement (AKM) shared key.

    security wpa akm psk set-key ascii/hex key

    Example:

    Step 5

    Device(config-wlan)# security wpa akmpsk set-key asci 0

    Private Shared Key2

    Private Shared KeyConfiguring a PSK in a WLAN (CLI)

  • PurposeCommand or Action

    Configures PSK support.security wpa akm psk

    Example:

    Step 6

    Device(config-wlan)# security wpa akmpsk

    Specifies MAC filtering in a WLAN.mac-filtering auth-list-name

    Example:

    Step 7

    Device(config-wlan)# mac-filtering test1

    Configuring a PSK in a WLAN (GUI)Procedure

    Step 1 Choose Configuration > Tags & Profiles >WLANs.Step 2 On theWireless Networks page, click Security tab.Step 3 In the Layer 2 window that is displayed, go to theWPA Parameters section.Step 4 From the Auth Key Mgmt drop-down, select PSK.Step 5 Click Save & Apply to Device.

    Applying a Policy Profile to a WLAN (GUI)Procedure

    Step 1 Choose Configuration > Tags & Profiles > Tags.Step 2 On theManage Tags page, click Policy tab.Step 3 Click Add to view the Add Policy Tag window.Step 4 Enter a name and description for the policy tag.Step 5 Click Add to map WLAN and policy.Step 6 Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon.Step 7 Click Save & Apply to Device.

    Applying a Policy Profile to a WLAN (CLI)Follow the procedure given below to a apply policy profile to a WLAN:

    Private Shared Key3

    Private Shared KeyConfiguring a PSK in a WLAN (GUI)

  • Procedure

    PurposeCommand or Action

    Enters global configuration mode.configure terminal

    Example:

    Step 1

    Device# configure terminal

    Configures the default policy profile.wireless profile policy policy-profile-name

    Example:

    Step 2

    Device(config)# wireless profile policypolicy-iot

    Configures AAA override to apply policiescoming from the AAA server or ISE the CiscoIdentify Services Engine (ISE) server.

    aaa-override

    Example:Device(config-wireless-policy)#aaa-override

    Step 3

    Verifying a Private PSKUse the following show commands to verify the configuration of a WLAN and a client:Device# show wlan id 2

    WLAN Profile Name : test_ppsk================================================Identifier : 2Network Name (SSID) : test_ppskStatus : EnabledBroadcast SSID : EnabledUniversal AP Admin : DisabledMax Associated Clients per WLAN : 0Max Associated Clients per AP per WLAN : 0Max Associated Clients per AP Radio per WLAN : 0Number of Active Clients : 0Exclusionlist Timeout : 60CHD per WLAN : EnabledInterface : defaultMulticast Interface : UnconfiguredWMM : AllowedWifiDirect : InvalidChannel Scan Defer Priority:Priority (default) : 4Priority (default) : 5Priority (default) : 6

    Scan Defer Time (msecs) : 100Media Stream Multicast-direct : DisabledCCX - AironetIe Support : EnabledCCX - Diagnostics Channel Capability : DisabledPeer-to-Peer Blocking Action : DisabledRadio Policy : AllDTIM period for 802.11a radio : 1DTIM period for 802.11b radio : 1Local EAP Authentication : DisabledMac Filter Authorization list name : test1

    Private Shared Key4

    Private Shared KeyVerifying a Private PSK

  • Accounting list name : Disabled802.1x authentication list name : DisabledSecurity

    802.11 Authentication : Open SystemStatic WEP Keys : Disabled802.1X : DisabledWi-Fi Protected Access (WPA/WPA2) : Enabled

    WPA (SSN IE) : DisabledWPA2 (RSN IE) : Enabled

    TKIP Cipher : DisabledAES Cipher : Enabled

    Auth Key Management802.1x : DisabledPSK : EnabledCCKM : DisabledFT dot1x : DisabledFT PSK : DisabledPMF dot1x : DisabledPMF PSK : Disabled

    CCKM TSF Tolerance : 1000FT Support : Disabled

    FT Reassociation Timeout : 20FT Over-The-DS mode : Enabled

    PMF Support : DisabledPMF Association Comeback Timeout : 1PMF SA Query Time : 200

    Web Based Authentication : DisabledConditional Web Redirect : DisabledSplash-Page Web Redirect : DisabledWebauth On-mac-filter Failure : DisabledWebauth Authentication List Name : DisabledWebauth Parameter Map : DisabledTkip MIC Countermeasure Hold-down Timer : 60

    Call Snooping : DisabledPassive Client : DisabledNon Cisco WGB : DisabledBand Select : DisabledLoad Balancing : DisabledMulticast Buffer : DisabledMulticast Buffer Size : 0IP Source Guard : DisabledAssisted-Roaming

    Neighbor List : DisabledPrediction List : DisabledDual Band Support : Disabled

    IEEE 802.11v parametersDirected Multicast Service : DisabledBSS Max Idle : Disabled

    Protected Mode : DisabledTraffic Filtering Service : DisabledBSS Transition : Enabled

    Disassociation Imminent : DisabledOptimised Roaming Timer : 40Timer : 200

    WNM Sleep Mode : Disabled802.11ac MU-MIMO : Disabled

    Device# show wireless client mac-address a886.adb2.05f9 detail

    Client MAC Address : a886.adb2.05f9Client IPv4 Address : 9.9.58.246Client Username : A8-86-AD-B2-05-F9AP MAC Address : c025.5c55.e400

    Private Shared Key5

    Private Shared KeyVerifying a Private PSK

  • AP Name: saurabh-3600AP slot : 1Client State : AssociatedPolicy Profile : default-policy-profileFlex Profile : default-flex-profileWireless LAN Id : 6Wireless LAN Name: SSS_PPSKBSSID : c025.5c55.e40fConnected For : 280 secondsProtocol : 802.11n - 5 GHzChannel : 60Client IIF-ID : 0xa0000001Association Id : 1Authentication Algorithm : Open SystemClient CCX version : No CCX supportSession Timeout : 320 sec (Remaining time: 40 sec)Input Policy Name :Input Policy State : NoneInput Policy Source : NoneOutput Policy Name :Output Policy State : NoneOutput Policy Source : NoneWMM Support : EnabledU-APSD Support : EnabledU-APSD value : 0APSD ACs : BK, BE, VI, VO

    Fastlane Support : DisabledPower Save : OFFCurrent Rate : m22Supported Rates : 9.0,18.0,36.0,48.0,54.0Mobility:Move Count : 0Mobility Role : LocalMobility Roam Type : NoneMobility Complete Timestamp : 09/27/2017 16:32:25 IST

    Policy Manager State: RunNPU Fast Fast Notified : NoLast Policy Manager State : IP Learn CompleteClient Entry Create Time : 280 secondsPolicy Type : WPA2Encryption Cipher : CCMP (AES)Authentication Key Management : PSKAAA override passphrase: YesManagement Frame Protection : NoProtected Management Frame - 802.11w : NoEAP Type : Not ApplicableVLAN : 58Access VLAN : 58Anchor VLAN : 0WFD capable : NoManged WFD capable : NoCross Connection capable : NoSupport Concurrent Operation : NoSession Manager:Interface : capwap_90000005IIF ID : 0x90000005Device Type : Apple-DeviceProtocol Map : 0x000001Authorized : TRUESession timeout : 320Common Session ID: 1F3809090000005DC30088EAAcct Session ID : 0x00000000Auth Method Status List

    Method : MAB

    Private Shared Key6

    Private Shared KeyVerifying a Private PSK

  • SM State : TERMINATEAuthen Status : Success

    Local Policies:Service Template : wlan_svc_default-policy-profile (priority 254)

    Absolute-Timer : 320VLAN : 58

    Server Policies:Resultant Policies:

    VLAN : 58Absolute-Timer : 320

    Client CapabilitiesCF Pollable : Not implementedCF Poll Request : Not implementedShort Preamble : Not implementedPBCC : Not implementedChannel Agility : Not implementedListen Interval : 0

    Fast BSS Transition Details :Reassociation Timeout : 0

    11v BSS Transition : Not implementedFlexConnect Data Switching : LocalFlexConnect Dhcp Status : LocalFlexConnect Authentication : CentralFlexConnect Central Association : NoClient Statistics:

    Number of Bytes Received : 59795Number of Bytes Sent : 21404Number of Packets Received : 518Number of Packets Sent : 274Number of EAP Id Request Msg Timeouts :Number of EAP Request Msg Timeouts :Number of EAP Key Msg Timeouts :Number of Policy Errors : 0Radio Signal Strength Indicator : -32 dBmSignal to Noise Ratio : 58 dB

    Fabric status : Disabled

    Private Shared Key7

    Private Shared KeyVerifying a Private PSK

  • Private Shared Key8

    Private Shared KeyVerifying a Private PSK

    Private Shared KeyInformation About Private Preshared KeyConfiguring a PSK in a WLAN (CLI)Configuring a PSK in a WLAN (GUI)Applying a Policy Profile to a WLAN (GUI)Applying a Policy Profile to a WLAN (CLI)Verifying a Private PSK