Identity PSK with Cisco Secure ACS

Overview

One of the features introduced with AireOS 8.5 for the Cisco Wireless LAN Controller (WLC) is Identity PSK (IPSK).  IPSK allows each wireless client device to have its own, unique PSK, which increases the security of the network, as a compromised key cannot be used to connect another wireless client device to the network (providing that each device uses a unique PSK).

Cisco provides an Identity PSK Feature Deployment Guide; however, this guide only covers the RADIUS configuration for the Cisco Identity Services Engine (ISE).  As discussed in the guide, other RADIUS servers are supported, including Cisco Secure ACS.

Configuration Steps in Cisco Secure ACS

Because some customers are still running Cisco Secure ACS, this guide focuses on the configuration of Cisco Secure ACS.  The version used in this example is 5.8.0.32.9.

Step 1  (Optional)

The first step is to create an Identity Group to group all of the IPSK devices.  This step is not necessary for enabling IPSK functionality, however it is recommended, as these groups can be used to create custom policies based upon the group membership of the device.

1. Navigate to Users and Identity Stores > Identity Groups
2. Click the Create button
3. Enter a Name for the Identity Group
4. (Optional) Enter a Description for the Identity Group
5. Click the Select button and choose the Parent group
6. Click the Submit button to create the Identity Group

Step 2

Next, enter the MAC addresses of the device that will be using an IPSK.

1. Navigate to Users and Identity Stores > Internal Identity Stores > Hosts
2. Click the Create button
3. Enter the MAC Address using the format: AA-BB-CC-DD-EE-FF
4. Leave the Status set to Enabled
5. (Optional) Enter a Description of the device
6. Select an Identity Group (such as one you created in the previous step), or leave this set to the default of All Groups
7. Click the Submit button to create the Internal Host

Step 3

Next, create the Authorization Profile.  Every unique IPSK will need to have its own Authorization Profile.  So for example, if you have ten devices and you want them all to have their own, unique PSK, then you will need to create ten Authorization Profiles.  Alternatively, if you want all ten devices to share the same IPSK, then you would only need to create one Authorization Profile.

1. Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles
2. Click the Create button
3. On the General tab, enter a Name and optional Description
4. On the RADIUS Attributes tab, enter the following for the PSK Mode:
   1. Dictionary Type:  RADIUS-Cisco
   2. RADIUS Attribute:  cisco-av-pair
   3. Attribute Type:  String
   4. Attribute Value:  Static
   5. Value:  psk-mode=ascii
5. Click the Add button to add this RADIUS attribute
6. Staying on the RADIUS Attributes tab, enter the following to set the PSK:
   1. Dictionary Type:  RADIUS-Cisco
   2. RADIUS-Attribute:  cisco-av-pair
   3. Attribute Type:  String
   4. Attribute Value:  Static
   5. Value:  psk=yourpsk
7. Click the Add button to add this RADIUS attribute
8. Click the Submit button to create the Authorization Profile

Note:  The Authorization Profile created to provide an IPSK to the device can also be used to set the client device’s VLAN, ACL, QoS, and other values.  The steps to configure these options are outside the scope of this document.

Step 4

Next, create the Access Service for IPSK.

1. Navigate to Access Policies > Access Services
2. Click the Create button
3. Enter a Name for the Access Service
4. (Optional) Enter a Description for the Access Service
5. Select the Based on Service Template radio button and click the Select button
   1. Select Network Access – MAC Authentication Bypass
   2. Click OK
6. Click the Next button
7. Ensure that the Process Host Lookup checkbox is checked (enabled)
8. Click Finish to create the Access Service

Step 5

Next, modify the Access Service’s Authorization Policy to allow for compound conditions:

1. Navigate to Access Policies > (Access Service Name) > Authorization
2. Click the Customize button
3. In the Available Conditions box, select Compound Condition and click the > (right arrow) button to move it to the Selected box.
4. Click OK
5. Click the Save Changes button to save the configuration.

Step 6

Next, modify the Access Service’s Authorization Policy:

1. Navigate to Access Policies > (Access Service Name) > Authorization
2. Click the Create button
3. In the Name field, enter a name for the rule.  I would recommend setting this to the host name of the device if using a unique PSK for each device.
4. Leave the Status set to Enabled
5. Check the Compound Condition box
6. In the Dictionary drop-down box, select RADIUS-IETF
7. In the Attribute field, click the Select button and select Calling-Station-ID
8. In the Value box, enter the MAC Address of the client device.
9. Click the Add button to add this condition.
10. In the Authorization Profiles box, click the Select button and select the Authorization Profile that you configured back in Step 3.
11. Click the OK button to create the Authorization Policy.
12. Click the Save Changes button to save the policy.

Step 7

Next, create a rule that will use the Access Service that we have just created.

1. Navigate to Access Policies > Access Services > Service Selection Rules
2. Click the Create button.
3. Enter a descriptive Name for the rule.
4. Leave the Status set to Enabled.
5. Check the Protocol box and select RADIUS
6. Check the Compound Condition box.
7. For the Dictionary drop-down box, select RADIUS-IETF
8. For the Attribute field, click the Select button and choose Service-Type
9. In the Value field, click the Select button and choose Call Check
10. Click the Add button to add this condition.
11. For the Results drop-down, select the Access Service created in Step 4.
12. Click the OK button
13. Click the Save Changes button to save the configuration.

Step 8

Finally, if you have other rules in ACS, you will likely need to move this rule up in the list.  Otherwise, the client device may match on another rule and fail to authenticate.

1. Navigate to Access Policies > Access Services > Service Selection Rules
2. Select the rule created in the prior step.
3. Click the ^ (up arrow) to move the rule up in the list.  It should be a higher priority than RADIUS rules that use 802.1X authentication.
4. Click the Save Changes button to save the configuration.

Conclusion

For additional information on the IPSK feature, including the steps to configure the Cisco Wireless LAN Controller (WLC), please consult the Identity PSK Feature Deployment Guide

If you are still running Cisco Secure ACS, I would highly recommend developing a strategy to migrate to the Cisco Identity Services Engine (ISE), as Cisco Secure ACS was announced End of Life (EoL) on 30 Nov 2016.  The last date for Software Maintenance (EoSWM) is set for 30 Aug 2018 and the software will no longer be supported (LDoS) after 31 Aug 2020.