Have you ever heard statements like these from someone in your organization?
- “We need our own Wi-Fi network for this project, and with no security. It’s too difficult”
- “I really need these 100 Wi-Fi cameras on the network, preferably yesterday!”
- “I have 20 developers, who can’t get their iPhones on the internal network for testing. Also – what is 802.1x?”
If you are a network admin, I am sure you have heard a version of one or more of these statements before.
Managing the ever-increasing number of devices on your network is getting harder and consuming more and more time every day. Not all devices are created equally, and not all use-cases require the same level of security measures.
Some devices will be able to use something like EAP-TLS with 802.1x and do it easily. Some devices won’t even support 802.1x, and if they do, it will be a nightmare to manage the deployment and to maintain them. Therefore, we have only had a few options for Wi-Fi in the past:
- Open SSID with MAC Validation
- Easy to use, somewhat difficult to manage (or just not managed), totally insecure!
- 802.1x SSID with support for EAP-TLS and/or PEAP authentication
- Quite hard to implement, fairly difficult to manage, not all devices support it, totally Secure!
- Pre-shared Key SSID
- Easy to use, fairly simple to manage, all devices support it, only one key for everyone, sort of secure!
While these all have their pros and cons, pre-shared key SSIDs is the option most of us use in some way, and most of us have more than one, for different use-cases. But this option does not scale well and assigning roles and rights to the devices on these networks can be difficult – or at least not very granular.
This is where we think that Cisco’s Wireless Controller version 8.5 based “Identity PSK” feature can bring something better to your solution. Identity PSK or iPSK allows the flexibility of using the same SSID for everything PSK related and still have different keys and different rights on the network, all controlled from an authentication server like Cisco Identity Service Engine (ISE).
Cisco iPSK in a nutshell:
- Single SSID, multiple keys, up to one per mac address
- Grouping mac addresses with one key for the group
- Assignment of network access rights like in an 802.1x solution with VLANs, ACLs, SGT, bandwidth controls and so on.
In most cases this combination allows us to end up with only 3 SSIDs:
- One for 802.1x
- One for Guest (OPEN)
- One for iPSK
Now managing these devices obviously won´t be a small task, as every device will need to be registered in some way to get their own pre-shared key. Some ways to manage this could be:
- Creating a simple web portal for users/IT, and then use ISE Endpoint Attributes to extend ISE to contain the pre-shared key in its database, using the ISE REST API to create/delete/update endpoints.
- Use an external SQL database, with ISE ODBC integration, store your endpoints there, and have ISE use this database as its authentication store, and possibly also to manage the grouping of mac addresses for assignment of rights.
- Using the Device registration portal in ISE, to allow users to login with their AD credentials and enter their own devices, or devices of which they will then be responsible.
All of these options allow you to create a simply managed solution, that offers a fairly high level of security with the flexibility and interoperability you need for your network today.
It allows you to grant someone the access to onboard devices themselves, removing that time-consuming task from IT, but still tracking who onboards what – and when.
If you are interested in this topic, please contact your account manager. We are also currently working on a portal for the onboarding process. Let us know if you would like a demo.
By Jan Frank Nielsen, Systems Engineer, Conscia
Jan Frank Nielsen is a qualified data mechanic and started out working with WAN technology and classic routing and switching. Since then Jan has moved over to network security where has been working for a number of years with identity and rights management (IBNS) in connection with Cisco ISE. Jan often participates in testing of new functionality in Cisco ISE prior to release, and also works with programmatic access to modern networks. In addition, Jan has significant experience in Cisco Firepower, Cisco ASA and Cisco VPN like DMVPN, GETVPN, AnyConnect (SSL VPN) as well as L2L IPSec.