Introduction:

 

Aruba MPSK was introduced in the AOS release 8.4.x, a feature using which you can leverage the use of different PSK’s for different devices. The traditional approach is well documented in the link below:

https://community.arubanetworks.com/t5/Security/Setting-up-MPSK-for-headless-IoT-devices/td-p/522858

 

Need for per user MPSK:

 

We at Airowire Networks had the privilege of working with a client who is in the co-working space business. Since they did not have an AD Architecture and was not prepared to deploy one due to the varying nature of staff/companies renting in, they were looking for a solution where we could use a single PSK per user for up to three devices.

If we had chosen to use the traditional MPSK approach, this would not have been possible. Hence, we opted to customize this workflow per the client need.

 

Note: The client did not want to have captive portal-based guest access involving self-registration since it would look more like visitor access and not an enterprise level solution for employees.

 

Workflow:

 

Pre-requisites:

 

Messaging setup should be configured on Clearpass:

Location under Policy Manager: Administration –> External Servers –> Messaging Setup

 

 

Task 1:

 

Import the guest account(s) on Clearpass. Once the guest account is created, the user will receive an email with the credentials.

 

Task 2:

 

Create an SSID (Device Registration in this case) where users connect and then get redirected to a captive portal page to enter the new username and password. This SSID is used to map the mac addresses of the guest devices to the guest account thereby helping us use a unified password (which will also serve as the PSK) for all three devices. The client will only need to do this once per device.

 

Note: MAC Authentication should be enabled on the SSID.

 

Enforcement policy configuration:

 

The enforcement policy configuration would consist of two rules:

 

The first rule is to check if the user has already exceeded the maximum number of devices (3 in this case). If yes, we redirect them to a page informing them about the same.

 

 

The second rule is used to check if the user is logging in with a device that is already mapped to his/her guest account. If yes, we redirect them to a page informing them that the device has been registered already and that they should connect to the Airowire_MPSK SSID with the guest account password as the PSK.

 

 

How the page looks like on the client device:

 

 

Task 3:

 

Create a service to map the MAC address(es) to the guest account already created for this user.

 

Enforcement policy configuration:

 

The enforcement policy in this service would contain conditions to identity which mac address slot among the permitted count of three are free and update accordingly. If none of the mac address slots are free, we would redirect the user to a web page informing him/her that they have already reached the maximum device limit of three (refer to image above for a sample).

 

Task 4:

 

Create a service to send back the MPSK for this user back to the controller:

 

Service 3:

 

Enforcement policy configuration:

 

 

Enforcement profile:

 

[Registered Device MPSK]:

 

 

As we can see, the value field is grayed out and has been coded in to fetch the value – %{Authorization:[Guest Device Repository]:Device MPSK} – from the guest device repository. To pass on this value, we had to create a guest device.

 

Workflow:

 

  1. Client connects to Device Registration
  2. The client gets redirected to a web login page requesting for username and password

 

 

3. Client enters username and password and logs in successfully:

 

 

4. We redirect the user to the default destination page displaying a message that registration is successful:

 

 

5. Under the guest account, we would see the mac_address_1 field updated:

 

 

6. Also, a new Guest Device will be created:

 

 

7. Guest connects to Airowire_MPSK with the same password:

 

 

8. Auth success:

 

 

9. The same procedure will be followed on devices two and three. If attempted on the fourth device, we will inform the client that they have already exceeded the device limit.