Dot11 Guru

802.11, RADIUS

Using iPSK to move security accountability from IT teams

For the company I work for, we have a pretty strict security policy towards PSK networks. A lot of which cannot be discussed in a public forum for obvious reasons.

The detail within the policy means that our operational teams have a lot of repetitive overhead to perform every month. We also operate within a largely Cisco landscape, which in this case, brings the ability to utilise iPSK with Cisco ISE.

Identity PSK

Identity PSK enables the use of multiple pre shared keys on the one SSID. The handling of the authentication is performed by a radius server, in this case Cisco ISE. This also allows us to perform Change of Authorisation to dynamically assign VLANs.

More information on the configuration of iPSK can be found here:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

How can we shift the accountability away from our IT teams?

Once iPSK is implemented, and segmentation is set up through the use of dynamically assigning VLANs, we are able to move the accountability away from IT teams by utilising an application similar to the iPSK Manager.

iPSK Manager: https://community.cisco.com/t5/security-documents/ipsk-identity-pre-shared-key-manager-portal-server-for-ise/ta-p/3904265

iPSK Manager

The iPSK manager gives us a user friendly interface which will allow employees to add and manage devices. You can assign the device to the correct network, and limit the lifetime of the device. This is a tool that shows great potential, and is currently being investigated within our organisation.

More to come as we continue the testing and implementation of this idea!

Share this:

Leave a Reply