Interesting Troubleshooting Cases, Part 1 - The RADIUS Connection

Interesting Troubleshooting Cases, Part 1 - The RADIUS Connection

Note: This article is part 1 of a 4-part troubleshooting series, with more in-depth information about a TEN talk at WLPC.
Part 2 - Zoom issues
Part 3 - Breaking other Wi-Fi
Part 4 - The suddenly weaker Wi-Fi
Video recording from WLPC Prague

Incoming Ticket: I’m a student from Institution X in the same town. I am visiting your library and I can’t connect to eduroam here. It works fine on the campus of Institution X.

If you are not familiar with eduroam, it is a worldwide network of Universities, granting each other wireless access.

eduroam is built in a tree-like structure:

tree-like countries

If you as an institution receive an authentication request from a foreign user, you will forward it to your country root - you only talk directly to your root. This root will either know where to forward it - if it is in the same country - or forward it to his root, which knows all countries. Upon being received by the correct country root, it will arrive at the right institution.

IPSK on Cisco without ISE but FreeRADIUS

IPSK on Cisco without ISE but FreeRADIUS

What is IPSK?

The concept is not new, other wireless vendors had this or similar features for a while (often named PPSK, DPSK, or MPSK, all with a bit different functionality), but some time ago Cisco released “Identity PSK”, or short, “IPSK”. It has been available on AireOS since version 8.5 and on the 9800 controller since the beginning (16.10) - I did my first experiments with it on AireOS 8.5 and made it into a new service on our campus on 16.10 back then.

As the name suggests, it is a PSK authentication, but not every client on the SSID has to have the same PSK. You can group them by department, or type, or can even give every single device its own PSK. Additionally, with dynamic VLAN assignment (which has been possible forever), this leads to great grouping and security zones. This is why this solution is so great for IOT:

  • They can typically not use 802.1X
  • You want to separate them, e.g. cameras, sensors, displays, weird printers
  • You don’t want to use a separate SSID for every type, because of SSID overhead

IPSK makes it possible to have this on one SSID:

One SSID - 3 Clients in 3 VLANs with 3 different PSKs instead of 1 SSID per device type or vendor

The solution is typically to use a Cisco ISE to configure the auth side of the equation. But it does not have to be ISE - any RADIUS implementation that can send some attributes will work.

This is why I chose to show you how it is done in the great open-source RADIUS server FreeRADIUS.