Network administrators are dealing with an explosion of IoT devices from surveillance cameras and environmental sensors to medical devices to smart shelves. For those IoT devices that support 802.1X authentication, the path for joining the network in a secure manner is clear: Use a secure, device-bound credential. This allows clients to securely authenticate and join the network using a strong user and/or device identity.
Figure 1. Traditional deployment with WPA-PSK.
However, many IoT devices are “headless” and are unable to support network security functionality like 802.1X. When dealing with headless IoT devices, the story is clearly different. The most commonly used method of authentication is WPA2-PSK. Although using WPA2-PSK is far more secure than using open or WEP, it is still exposing the network to security vulnerabilities.
WPA2-PSK has several limitations:
- The WPA2-PSK passphrase is shared among all devices associating with the same SSID. If the key is compromised, security breaches are sure to follow.
- The operational aspect of replacing the key is manual and laborious for IT.
- Overcoming the single WPA-PSK passphrase problem with multiple SSID results in inefficient RF utilization.
MSPK is a Better Solution for IoT
Multi Pre-Shared Key (MPSK) is a better option. Aruba ClearPass 6.8 and Aruba OS 8.4 take advantage of new standards such as WPA3 and Opportunistic Wireless Encryption to overcome the pre-shared key problem.
Specifically, MPSK enables device-specific and group-specific passphrases, which enhances security and deployment flexibility for headless IoT devices. Passphrases can be administratively assigned to groups of devices based on common attributes like profiling data or uniquely assigned to each device registration with ClearPass Policy Manager.
Now, multiple pre-shared keys can be supported on the same SSID. Using a single SSID also improves the RF bandwidth utilization, delivering a better user experience. Using MPSK reduces the time and effort for the IT department to secure the network. And providing multiple PSKs across different platform types ensures better security.
MPSK has several benefits. First, because it establishes a one-to-one associated relationship between devices (i.e. the MAC address) and a specific user, it provides visibility, accountability and management for a single user. In Aruba, this is enabled through ClearPass self-service device registration.
Secondly, MPSK can be used to associate a device with a group of users, for example, a smart TV that’s used by the marketing team. This is enabled through enforcement policy by the ClearPass administrator.
Figure 2 Aruba’s Multi Pre-Shared Key deployment model.
MPSK does not replace secure authentication methods like EAP-TLS for traditional mobile devices like laptops, tablets and smartphones. However, MPSK provides a far better way to ensure that IoT devices are authenticated and legitimately connected to the network, without any IT involvement.
Related Content
See what else is new in ClearPass 6.8.
