https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937932#M456579 <P>In your authorization policy, you are looking for a calling-station-id of the MAC address with colons ":" and capital letters.&nbsp; If you look at the failure details, the attribute for calling-station-id uses dashes "-" and lower-case letters.&nbsp; That is why you aren't matching on an authorization rule and falling down to the default of deny access.</P> Wed, 09 Oct 2019 14:12:35 GMT Colby LeMaire 2019-10-09T14:12:35Z https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937905#M456578 <P>Just testing iPSK, I've followed the official Cisco links and several other people who have set this up, but I must be missing something simple.</P><P>The WLC is running 8.5.140, ISE is 2.2 Patch 15</P><P>&nbsp;</P><P>As you will see on the policy set picture I've tried to setup using End Point Groups and calling station id = mac address, with permit all and psk just to get the b<SPAN>asic connect working.</SPAN></P><P>&nbsp;</P><P><FONT face="Calibri" color="#000000">2 Endpoint Groups IPSK-Phone630 , IPSK-Phone681, both have at least 1 mac address for testing.</FONT></P><P><FONT face="Calibri" color="#000000">All Auth Profiles Access </FONT></P><P><FONT face="Calibri" color="#000000">Type = ACCESS_ACCEPT</FONT></P><P><FONT face="Calibri" color="#000000">cisco-av-pair = psk=mode=asci</FONT></P><P><FONT face="Calibri" color="#000000">cisco-av-pair = psk=abc12345</FONT></P><P>&nbsp;</P><P><FONT face="Calibri" color="#000000">Have attached the RADIUS failure.&nbsp; The WLC is configured correctly, have tippled checked all configs but something not just there, just need a fresh set of eyes</FONT></P><P>&nbsp;</P><P><FONT face="Calibri" color="#000000">cheers</FONT></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="policy set.JPG" style="width: 785px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46493i1E81EBC09230DF05/image-size/large?v=v2&amp;px=999" role="button" title="policy set.JPG" alt="policy set.JPG" /></span></P> Wed, 09 Oct 2019 13:42:01 GMT https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937905#M456578 craiglebutt 2019-10-09T13:42:01Z https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937932#M456579 <P>In your authorization policy, you are looking for a calling-station-id of the MAC address with colons ":" and capital letters.&nbsp; If you look at the failure details, the attribute for calling-station-id uses dashes "-" and lower-case letters.&nbsp; That is why you aren't matching on an authorization rule and falling down to the default of deny access.</P> Wed, 09 Oct 2019 14:12:35 GMT https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937932#M456579 Colby LeMaire 2019-10-09T14:12:35Z https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937944#M456581 <P>&nbsp;</P><P>I see what you are saying, the ISE changes the "-" to ":", even when entering on adding devices to Endpoints and creating Policy's.</P><P>&nbsp;</P><P>In the Radius Live Logs appears as ":"</P><P>&nbsp;</P><P>cheers</P> Wed, 09 Oct 2019 14:27:11 GMT https://community.cisco.com/t5/network-access-control/ipsk-not-working/m-p/3937944#M456581 craiglebutt 2019-10-09T14:27:11Z