UPSK and Self Registration
The Nile Access Service offers the Unique Passphrase (UPSK) feature to enhance the security of wireless network access. Unlike traditional pre-shared key (PSK) wireless networks, where a single key is shared among all devices, UPSK assigns a unique key to every authenticated user or device.
Nile also provides a self-registration portal that allows users to securely onboard their devices, including BYOD and corporate assets, using UPSK and single sign-on (SSO) authentication.
The Unique Passphrase (UPSK) feature in the Nile Access Service enables secure network access for a wide range of devices, including Internet of Things (IoT) equipment, AV equipment, and employee-owned devices.
For headless devices that cannot accommodate 802.1X authentication, Nile supports the use of UPSK with an external RADIUS server (such as Cisco ISE or Aruba ClearPass) or the Nile Cloud.
As an administrator, you can generate UPSK keys for these devices in the following ways:
- Log in to the Nile Customer Portal and register the device's MAC address. Nile can generate a unique key, or you can enter your own.
- Bulk upload a CSV file with MAC addresses and UPSK values.
- Use the Nile API to register MAC addresses and generate UPSK keys.
Nile's self-registration portal allows employees to securely onboard their own devices, such as laptops, phones, and tablets, using UPSK and single sign-on (SSO) authentication.
When an administrator enables SSO and a UPSK-enabled wireless service, a self-registration portal link is generated. This link can be embedded in the my.nilesecure.com page or the Nile-hosted guest page, allowing employees to access it from anywhere.
After successfully authenticating through the organization's identity provider (IdP), employees can generate a UPSK for their devices and connect to the UPSK-enabled wireless service.
To configure UPSK in the Nile Access Service, follow these steps:
- In the "Settings" > "Wireless" section of the Nile Customer Portal, create a "Personal" SSID and enable the "Enable SSO" option.
- Enter a pre-shared key and select the appropriate network segment for the UPSK-enabled SSID.
- If the segment is configured with an external RADIUS server, the RADIUS server will be used for UPSK authentication. Otherwise, the Nile Cloud will be used.
The self-registration portal in the Nile Access Service allows users to securely onboard their devices, including BYOD and corporate assets, using UPSK and single sign-on (SSO) authentication.
When an administrator enables SSO and a UPSK-enabled wireless service, a self-registration portal link is generated. This link can be found in the following locations:
- Embedded in the my.nilesecure.com page (if the user is connected to the Nile network)
- Embedded in the Nile-hosted guest page
- Displayed in the Nile Customer Portal and accessible from anywhere
Users can access the self-registration portal by clicking the link and authenticating through the organization's identity provider (IdP).
After successful authentication, users can perform the following actions in the self-registration portal:
- Generate a UPSK key for their devices, which can be used to connect to the UPSK-enabled wireless service.
- Register wired devices by providing the MAC address. These devices will be automatically assigned to the "Self Register" segment.
The self-registered devices will be assigned to the network segment configured for the UPSK-enabled wireless service.
As an administrator, you can view and manage the devices registered through the self-registration portal, including:
- Seeing all wired devices registered through the "Self Register" segment.
- Viewing all UPSK keys generated by users.
- Monitoring the devices connected using UPSK.
If a device is lost or the UPSK key is compromised, you can delete the user/device or update the UPSK key from the Nile Customer Portal.
By leveraging the Unique Passphrase (UPSK) feature and the self-registration portal, organizations can securely onboard a wide range of devices, including BYOD and IoT equipment, while maintaining control and visibility over network access.
The Nile Access Service supports the integration of Unique Passphrase (UPSK) with external RADIUS servers, such as Cisco ISE and Aruba ClearPass. UPSK enhances the security of traditional pre-shared key (PSK) wireless networks by assigning a unique passphrase to each authenticated user, rather than a single shared key.
To configure UPSK with an external RADIUS server in the Nile Access Service, follow these steps:
- Configure the SSO Provider
- Create a UPSK-enabled SSID in the Nile Customer Portal:
- Navigate to the "Settings" > "Wireless" page in the Nile Customer Portal.
- Select the "Personal" SSID type and enable the "Enable SSO" option.
- Enter a pre-shared key and select the network segments accessible via this SSID.
- Configure the RADIUS Integration in the Nile Customer Portal:
- Go to the "Settings" > "Authentication" page and add the external RADIUS server details, including the name, IP address or FQDN, port, and shared secret.
- Verify the RADIUS server connection by clicking the "Verify Hosts" button.
- In the "Segments" section, edit the segment associated with the UPSK-enabled SSID and select the RADIUS server you just configured.
- Provide Users with the UPSK Registration Link:
- Instruct users to visit the my.nilesecure.com website or use the unique registration link provided in the Nile Customer Portal.
- Users will be prompted to authenticate using your organization's identity provider (IdP), which should be integrated with the external RADIUS server.
- After successful authentication, users can generate a unique passphrase for their device to connect to the UPSK-enabled SSID.
By integrating UPSK with an external RADIUS server, you can leverage your existing identity management infrastructure to provide secure wireless access, while still benefiting from the enhanced security and user-specific credentials offered by the Nile Access Service's UPSK feature.
