Private Shared Key

Information About Private Preshared Key

With the advent of Internet of Things (IoT), the number of devices that connect to the internet has increased multifold. Not all of these devices support the 802.1x supplicant and need an alternate mechanism to connect to the internet. One of the security mechanisms, WPA-PSK, could be considered as an alternative. With the current configuration, the PSK is the same for all the clients that connect to the same WLAN. In certain deployments, such as educational institutions, this results in the key being shared to unauthorized users leading to security breach. This necessitates the need to provision unique PSKs for different clients on a large scale.

Identity PSKs are unique PSKs created for individuals or groups of users on the same SSID. No complex configuration is required for the clients. It provides the same simplicity of PSK, making it ideal for IoT, Bring your own device (BYOD), and guest deployments.

Identity PSKs are supported on most devices, in which 802.1X is not, enabling stronger security for IoT. It is possible to easily revoke access, for a single device or individual without affecting everyone else. Thousands of keys can easily be managed and distributed through the AAA server.


Note

Special characters, such as '<' and ‘>’ are supported in SSID Preshared key.

Note

PSK supports whitespace in passwords (before or after or in-between) within double quotes only; single quotes for whitespaces are not supported.

IPSK Solution

During client authentication, the AAA server authorizes the client MAC address and sends the passphrase (if configured) as part of the Cisco-AV pair list. The Cisco Wireless Controller (WLC) receives this as part of the RADIUS response and processes this further for the computation of PSKs.

When a client sends an association request to the SSID broadcast by the corresponding access point, the controller forms the RADIUS request packet with the particular mac address of the client and relays to the RADIUS server.

The RADIUS server performs the authentication and checks whether the client is allowed or not and sends either ACCESS-ACCEPT or ACCESS-REJECT as response to the WLC.

To support Identity PSKs, in addition to sending the authentication response, the authentication server also provides the AV pair passphrase for this specific client. This is used for the computation of the PMK.

The RADIUS server might also provide additional parameters, such as username, VLAN, Quality of Service (QoS), and so on, in the response, that is specific to this client. For multiple devices owned by a single user, the passphrase can remain the same.


Note

When the PSK length is less than 15 characters in Federal Information Processing Standard (FIPS), the controller allows the WLAN configuration but displays the following error message on the console:

"AP is allowed to join but corresponding WLAN will not be pushed to the access point"

Configuring a PSK in a WLAN (CLI)

Follow the procedure given below to configure a PSK in a WLAN:

Before you begin

  • Security should be configured for a pre-shared key (PSK) in a WLAN.

  • If there is no override from the AAA server, the value on the corresponding WLAN is considered for authentication.

  • In Federal Information Processing Standard (FIPS) and common criteria mode, ensure that the PSK WLAN has a minimum of 15 ASCII characters, else APs won't join the controller.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id ssid

Example:

Device(config)# wlan test-profile 4 abc

Configures the WLAN and SSID.

Step 3

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 4

security wpa akm psk

Example:

Device(config-wlan)# security wpa akm psk

Configures the security type PSK.

Step 5

security wpa akm psk set-key ascii/hex key

Example:

Device(config-wlan)# security wpa akm psk set-key asci 0

Configures the PSK authenticated key management (AKM) shared key.

Note

 

You must set the psk set-key before configuring AKM PSK.

Step 6

security wpa akm psk

Example:

Device(config-wlan)# security wpa akm psk

Configures PSK support.

Step 7

security wpa wpa2 mpsk

Example:

Device(config-wlan)# security wpa wpa2 mpsk

Configures multi-preshared key (MPSK) support.

Note

 

AKM PSK should be enabled for MPSK to work.

Step 8

mac-filtering auth-list-name

Example:

Device(config-wlan)# mac-filtering test1

Specifies MAC filtering in a WLAN.

Configuring a PSK in a WLAN (GUI)

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

On the Wireless Networks page, click Security tab.

Step 3

In the Layer 2 window that is displayed, go to the WPA Parameters section.

Step 4

From the Auth Key Mgmt drop-down, select the PSK format and type.

Step 5

Enter the Pre-Shared Key in hexadecimal characters.

  • If you selected the PSK format as HEX, the key length must be exactly 64 characters.

  • If you selected the PSK format as ASCII, the key length must be in the range of 8-63 characters.

Note that once you have configured the key, these details are not visible even if you click on the eye icon next to the preshared key box, due to security reasons.

Step 6

Click Save & Apply to Device.

Applying a Policy Profile to a WLAN (GUI)

Procedure

Step 1

Choose Configuration > Tags & Profiles > Tags.

Step 2

On theManage Tags page, click Policy tab.

Step 3

Click Add to view the Add Policy Tag window.

Step 4

Enter a name and description for the policy tag.

Step 5

Click Add to map WLAN and policy.

Step 6

Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon.

Step 7

Click Save & Apply to Device.

Applying a Policy Profile to a WLAN (CLI)

Follow the procedure given below to a apply policy profile to a WLAN:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy policy-profile-name

Example:

Device(config)# wireless profile policy policy-iot

Configures the default policy profile.

Step 3

aaa-override

Example:

Device(config-wireless-policy)# aaa-override

Configures AAA override to apply policies coming from the AAA server or ISE the Cisco Identify Services Engine (ISE) server.

Verifying a Private PSK

Use the following show commands to verify the configuration of a WLAN and a client: 

Device# show wlan id 2


WLAN Profile Name     : test_ppsk
================================================
Identifier                                     : 2
Network Name (SSID)                            : test_ppsk
Status                                         : Enabled  
Broadcast SSID                                 : Enabled  
Universal AP Admin                             : Disabled 
Max Associated Clients per WLAN                : 0        
Max Associated Clients per AP per WLAN         : 0        
Max Associated Clients per AP Radio per WLAN   : 0        
Number of Active Clients                       : 0        
Exclusionlist Timeout                          : 60       
CHD per WLAN                                   : Enabled  
Interface                                      : default  
Multicast Interface                            : Unconfigured
WMM                                            : Allowed     
WifiDirect                                     : Invalid     
Channel Scan Defer Priority:                                 
  Priority (default)                           : 4           
  Priority (default)                           : 5           
  Priority (default)                           : 6           
Scan Defer Time (msecs)                        : 100         
Media Stream Multicast-direct                  : Disabled    
CCX - AironetIe Support                        : Enabled     
CCX - Diagnostics Channel Capability           : Disabled    
Peer-to-Peer Blocking Action                   : Disabled    
Radio Policy                                   : All         
DTIM period for 802.11a radio                  : 1           
DTIM period for 802.11b radio                  : 1           
Local EAP Authentication                       : Disabled    
Mac Filter Authorization list name             : test1     
Accounting list name                           : Disabled    
802.1x authentication list name                : Disabled    
Security                                                     
    802.11 Authentication                      : Open System 
    Static WEP Keys                            : Disabled    
    802.1X                                     : Disabled    
    Wi-Fi Protected Access (WPA/WPA2)          : Enabled     
        WPA (SSN IE)                           : Disabled    
        WPA2 (RSN IE)                          : Enabled     
            TKIP Cipher                        : Disabled    
            AES Cipher                         : Enabled     
        Auth Key Management                                  
            802.1x                             : Disabled    
            PSK                                : Enabled     
            CCKM                               : Disabled    
            FT dot1x                           : Disabled    
            FT PSK                             : Disabled    
            PMF dot1x                          : Disabled    
            PMF PSK                            : Disabled    
    CCKM TSF Tolerance                         : 1000        
    FT Support                                 : Disabled    
        FT Reassociation Timeout               : 20          
        FT Over-The-DS mode                    : Enabled     
    PMF Support                                : Disabled    
        PMF Association Comeback Timeout       : 1           
        PMF SA Query Time                      : 200         
    Web Based Authentication                   : Disabled    
    Conditional Web Redirect                   : Disabled    
    Splash-Page Web Redirect                   : Disabled    
    Webauth On-mac-filter Failure              : Disabled    
    Webauth Authentication List Name           : Disabled    
    Webauth Parameter Map                      : Disabled    
    Tkip MIC Countermeasure Hold-down Timer    : 60          
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
Multicast Buffer                               : Disabled
Multicast Buffer Size                          : 0
IP Source Guard                                : Disabled
Assisted-Roaming
    Neighbor List                              : Disabled
    Prediction List                            : Disabled
    Dual Band Support                          : Disabled
IEEE 802.11v parameters
    Directed Multicast Service                 : Disabled
    BSS Max Idle                               : Disabled
        Protected Mode                         : Disabled
    Traffic Filtering Service                  : Disabled
    BSS Transition                             : Enabled
        Disassociation Imminent                : Disabled
            Optimised Roaming Timer            : 40
            Timer                              : 200
    WNM Sleep Mode                             : Disabled
802.11ac MU-MIMO                               : Disabled


Device# show wireless client mac-address a886.adb2.05f9 detail


Client MAC Address : a886.adb2.05f9
Client IPv4 Address : 9.9.58.246
Client Username : A8-86-AD-B2-05-F9
AP MAC Address : c025.5c55.e400
AP Name: saurabh-3600
AP slot : 1  
Client State : Associated
Policy Profile : default-policy-profile
Flex Profile : default-flex-profile
Wireless LAN Id : 6
Wireless LAN Name: SSS_PPSK
BSSID : c025.5c55.e40f
Connected For : 280 seconds
Protocol : 802.11n - 5 GHz
Channel : 60 
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Client CCX version : No CCX support
Session Timeout : 320 sec (Remaining time: 40 sec)
Input Policy Name  :
Input Policy State : None
Input Policy Source : None
Output Policy Name  :
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Enabled
  U-APSD value : 0
  APSD ACs    : BK, BE, VI, VO
Fastlane Support : Disabled
Power Save : OFF
Current Rate : m22
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
  Move Count                  : 0
  Mobility Role               : Local
  Mobility Roam Type          : None
  Mobility Complete Timestamp : 09/27/2017 16:32:25 IST
Policy Manager State: Run
NPU Fast Fast Notified : No
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 280 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : PSK
AAA override passphrase: Yes
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN : 58
Access VLAN : 58
Anchor VLAN : 0
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
  Interface        : capwap_90000005
  IIF ID           : 0x90000005
  Device Type      : Apple-Device
  Protocol Map     : 0x000001
  Authorized       : TRUE
  Session timeout  : 320
  Common Session ID: 1F3809090000005DC30088EA
  Acct Session ID  : 0x00000000
  Auth Method Status List
        Method : MAB
                SM State        : TERMINATE
                Authen Status   : Success
  Local Policies:
        Service Template : wlan_svc_default-policy-profile (priority 254)
                Absolute-Timer   : 320
                VLAN             : 58
  Server Policies:
  Resultant Policies:
                VLAN             : 58
                Absolute-Timer   : 320
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 0
Fast BSS Transition Details :
  Reassociation Timeout : 0
11v BSS Transition : Not implemented
FlexConnect Data Switching : Local
FlexConnect Dhcp Status : Local
FlexConnect Authentication : Central
FlexConnect Central Association : No
Client Statistics:
  Number of Bytes Received : 59795
  Number of Bytes Sent : 21404
  Number of Packets Received : 518
  Number of Packets Sent : 274
  Number of EAP Id Request Msg Timeouts :
  Number of EAP Request Msg Timeouts :
  Number of EAP Key Msg Timeouts :
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -32 dBm
  Signal to Noise Ratio : 58 dB
Fabric status : Disabled