Meraki IPSK with FreeRADIUS
This is a follow up to my Post IPSK on Cisco without ISE but FreeRADIUS. The FreeRADIUS server has already been running in the state since that post, and I will show what has to be done specific to the configuration when working with Cisco Meraki APs.
Meraki’s IPSK comes in two flavors: with RADIUS server and without.
The “without” option lets you configure multiple PSKs that are valid to every client that knows them. Numerous vendors support this system, and the AP basically tries all valid PSKs on client join to find the one that matches. The issue with this approach is that it can’t work with WPA3. With WPA3 (and with that, I mean WPA3-SAE, not 802.1X) the AP has to know the correct secret and has no chance of trying multiple possibilities. One vendor claims to have worked around that, but there have yet to be any technical details.
This leaves us with “Identity PSK with RADIUS” - because we “pre-register” our clients with MAC-address in our RADIUS-Server, the AP can query it for the correct passphrase as soon as it receives a join from a client, which makes this possible with WPA3-SAE. But, as of today, Meraki APs (version MR 30.6) do not support this yet. Ciscos 9800 controller supports this starting from 17.9.2, so we can hope that Meraki will support this soon too. The security issue itself is not that big, because some of the weaknesses of WPA2-PSK are a bit offset by IPSK, but missing WPA3 support also means no IPSK in 6 GHz, as WPA3 is required for the 6 GHz band.
Having said the theoretical parts of this post, let’s get to configuring.
Cisco 9800 alert on MAC join using EEM
Just a small tidbit: I recently received a request to quickly alert when a specific MAC address joins our 802.1X WLAN and gives its approximate location.
There are a few possible ways to do this - alert on logs on RADIUS server, any MAC table, log concentrators, or SIEM solutions, but getting this quick and easy turned out to be very straightforward and uncomplicated using only out-of-the-box solutions on the Cisco 9800 controller, specifically EEM applets.
To see what we’re after, let’s look at a standard logline when a client joins our 802.1X SSID:
Mar 24 10:18:33.637: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 1 R0/0: wncd: Username entry (thisisausername) joined with ssid (thisisanssid) for device with MAC: aabb.ccdd.1234
As we are focused on the MAC address, we see that we have it right there after the join at the end of the log line.
EEM is the embedded event manager and can trigger on many things, but one thing is to match on loglines and execute specific commands in the event of a match.
The hunt for the hidden probe
I recently discussed with a co-worker about hidden SSIDs.
Now we all know - as it is pretty much common knowledge and covered in even the basic wireless-, networking-, and security training - that hiding the SSID provides no security gain at all. Not only that; it has adverse effects, with certain clients not joining and roaming problems.
But the question that arose: Does a hidden SSID generate a probe response to a wildcard probe (“null”) request?
As it turns out, the answer is not that easy to find.
Interesting Troubleshooting Cases, Video of my 10talk
Note: This is the video recording of my TEN talk at WLPC Prague 2023. There are articles with more detail:
Part 1 - The RADIUS connection
Part 2 - Zoom issues
Part 3 - Breaking other Wi-Fi
Part 4 - The suddenly weaker Wi-Fi
Interesting Troubleshooting Cases, Part 4 - The suddenly weaker Wi-Fi
Note: This article is part 4 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 1 - The RADIUS connection
Part 2 - Zoom issues
Part 3 - Breaking other Wi-Fi
Video recording from WLPC Prague
Incoming Ticket: The Wi-Fi is weaker now. Getting fewer bars, lower throughput on my Macbook Pro. Dropping out of Wi-Fi ofter.
Looking at the client device, I see a Macbook Pro 2018, and the signal and SNR are more than 10 dB less than usual. Not just a bit of fluctuation as expected between clients, but significantly weaker.
The other issue that stood out was that doing a lot of traffic right next to it dumped the SNR. Doing a speed test on an iPhone right next to it kicked the Macbook out of the network.
Interesting Troubleshooting Cases, Part 3 - Breaking other Wi-Fi
Note: This article is part 3 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 1 - The RADIUS connection
Part 2 - Zoom issues
Part 4 - The suddenly weaker Wi-Fi
Video recording from WLPC Prague
Incoming Ticket: I have installed eduroam via the configuration assistant tool (CAT) on macOS without issues and eduroam connects flawlessly.
But now my home network does not work anymore. After deleting the CAT profile my Wi-Fi at home works again. Is this a known issue?
Now, my first reaction to this was “What?!” as this sounds just impossible.
If you don’t know CAT, this is a tool that provides onboarding for eduroam, with executables (Windows), Scripts (Linux), Apps (Android), and mobileconfig files (macOS, iOS), not doing more than telling your device how to correctly configure for eduroam, so it is secure. It is basically justa sort of MDM for eduroam.
It does normally not delete SSIDs (though some installers can, if instructed to), and does not mess with IP settings, DNS settings, Adapter settings, or anything else. We have thousands of installs of the macOS .mobileconfig, so you would think that if it did mess up settings, there would be more clients raising issues.
Interesting Troubleshooting Cases, Part 2 - The Zoom issues in just one building
Note: This article is part 2 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 1 - The RADIUS connection
Part 3 - Breaking other Wi-Fi
Part 4 - The suddenly weaker Wi-Fi
Video recording from WLPC Prague
Incoming Ticket: Terrible connection using Zoom on Wi-Fi. Works for a while, then unusable for a minute. Building is almost empty.
This is of course pretty broad, so to get an overview on what I checked:
- The building was new, and got 802.11ac Wave2 Wi-Fi, planned and validated - so it should not be a coverage issue
- Also happens when the building is almost empty, so capacity should not be an issue
- Multiple client typed affected, so probably not a client driver issue
- Log check revealed that there is no unexpected roaming and no channel changes
- It was validated that it worked fine on the wired network, so only wireless was affected
- On the whole campus, only this building had this issue
- It was hard to reproduce, sometimes it took hours, sometimes it was multiple times in an hour
Interesting Troubleshooting Cases, Part 1 - The RADIUS Connection
Note: This article is part 1 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 2 - Zoom issues
Part 3 - Breaking other Wi-Fi
Part 4 - The suddenly weaker Wi-Fi
Video recording from WLPC Prague
Incoming Ticket: I’m a student from Institution X in the same town. I am visiting your library and I can’t connect to eduroam here. It works fine on the campus of Institution X.
If you are not familiar with eduroam, it is a worldwide network of Universities, granting each other wireless access.
eduroam is built in a tree-like structure:
If you as an institution receive an authentication request from a foreign user, you will forward it to your country root - you only talk directly to your root. This root will either know where to forward it - if it is in the same country - or forward it to his root, which knows all countries. Upon being received by the correct country root, it will arrive at the right institution.
IPSK on Cisco without ISE but FreeRADIUS
What is IPSK?
The concept is not new, other wireless vendors had this or similar features for a while (often named PPSK, DPSK, or MPSK, all with a bit different functionality), but some time ago Cisco released “Identity PSK”, or short, “IPSK”. It has been available on AireOS since version 8.5 and on the 9800 controller since the beginning (16.10) - I did my first experiments with it on AireOS 8.5 and made it into a new service on our campus on 16.10 back then.
As the name suggests, it is a PSK authentication, but not every client on the SSID has to have the same PSK. You can group them by department, or type, or can even give every single device its own PSK. Additionally, with dynamic VLAN assignment (which has been possible forever), this leads to great grouping and security zones. This is why this solution is so great for IOT:
- They can typically not use 802.1X
- You want to separate them, e.g. cameras, sensors, displays, weird printers
- You don’t want to use a separate SSID for every type, because of SSID overhead
IPSK makes it possible to have this on one SSID:
The solution is typically to use a Cisco ISE to configure the auth side of the equation. But it does not have to be ISE - any RADIUS implementation that can send some attributes will work.
This is why I chose to show you how it is done in the great open-source RADIUS server FreeRADIUS.