https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394283#M228796 <P>Hi Community,</P><P>&nbsp;</P><P>Just wanted to get an update on this topic in case changes have occurred in later ISE versions. As with the original poster of this topic, I have a similar situation where a customer would like to rationalise a number of PSK services using iPSK, however, they don't have a complete list of devices &amp; MAC addresses as these are 3rd systems that come on the network as and when.&nbsp;</P><P>&nbsp;</P><P>Ideally if iPSK would allow any MAC address to connect as long as they had the valid PSK, then this would tick the box. I have seen the onboarding iPSK portal with iPSK Manager, which looks really good, but does not fit my customer requirement this time. The customer could look to run reports on the clients connecting to the wireless services via Prime Infrastructure and capture the MAC addresses over time, but this could take time too.</P><P>&nbsp;</P><P>Alternatively, is it possible to allow ISE with iPSK Manager to allow any MAC address to connect as long as it has the valid PSK, and then perhaps iPSK Manager then registers that MAC for future connections.</P><P>&nbsp;</P><P>Unfortunately I am after an onboarding process without the need for the client or the customer to onboard their devices <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Ian</P> Tue, 27 Apr 2021 19:23:22 GMT igaffine 2021-04-27T19:23:22Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926131#M30001 <P>I would like to use IPSK&nbsp; and I undestrood it works like this:</P><P>-I will configure one only common SSID<BR />-user who will connect to IPSK_SSID and use PSK_123 &nbsp; will be connected to VLAN&nbsp; 123<BR />-user who will connect to IPSK_SSID and use PSK_456&nbsp;&nbsp; will be connected to VLAN&nbsp; 456</P><P>-user who will connect to IPSK_SSID and use PSK_789 &nbsp; will be connected to VLAN&nbsp; 789</P><P>And this will be great.</P><P>&nbsp;</P><P>What is not clear to me is: before any user will be able to use PSK_XXX&nbsp; do&nbsp; I need to know&nbsp; his&nbsp; MAC address?</P><P>Is it really mandatory to know their mac address&nbsp;&nbsp; before they will be able to connect to the IPSK&nbsp; SSID ?</P><P>Is there any way to bypass this with a wildcard that acceprt any mac and checks only&nbsp; PSK&nbsp; to decide to admit or not the clients?<BR />My goal is to admit all clients that have the correct PSK &nbsp; because (for many reasons)&nbsp; I'm not able to produce a coplete database of all mac address they have now and particularly I'm not able to foresee what mac they will have in the future.&nbsp;</P><P><BR />Thank you in advance for your help</P> Mon, 05 Jul 2021 18:01:16 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926131#M30001 Emiliano Luca 2021-07-05T18:01:16Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926243#M30002 <P>Hi</P> <P>&nbsp;Yes, you do. There´s no wild card for mac address as it can change significantly according with the vendor.</P> <P>&nbsp;</P> <P>This link below will drive you very very well on this configuration, including RADIUS.&nbsp;</P> <P><A href="https://ripplesinharmony.wordpress.com/2019/03/11/implementing-cisco-ipsk-with-ise/" target="_self">https://ripplesinharmony.wordpress.com/2019/03/11/implemen</A><A href="https://ripplesinharmony.wordpress.com/2019/03/11/implementing-cisco-ipsk-with-ise/" target="_self">ting-cisco-ipsk-with-ise/</A></P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Wed, 18 Sep 2019 13:07:32 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926243#M30002 Flavio Miranda 2019-09-18T13:07:32Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926697#M30003 <P>Correct you need to add their MAC addresses to your RADIUS server before they can connect. No wildcards unfortunately.</P><P>Keep an eye out as Cisco was talking about releasing something around on boarding IOT devices for this use case to save having to manually adding every MAC address. This was mentioned at MFD4</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Sep 2019 05:24:36 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/3926697#M30003 Haydn Andrews 2019-09-19T05:24:36Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394283#M228796 <P>Hi Community,</P><P>&nbsp;</P><P>Just wanted to get an update on this topic in case changes have occurred in later ISE versions. As with the original poster of this topic, I have a similar situation where a customer would like to rationalise a number of PSK services using iPSK, however, they don't have a complete list of devices &amp; MAC addresses as these are 3rd systems that come on the network as and when.&nbsp;</P><P>&nbsp;</P><P>Ideally if iPSK would allow any MAC address to connect as long as they had the valid PSK, then this would tick the box. I have seen the onboarding iPSK portal with iPSK Manager, which looks really good, but does not fit my customer requirement this time. The customer could look to run reports on the clients connecting to the wireless services via Prime Infrastructure and capture the MAC addresses over time, but this could take time too.</P><P>&nbsp;</P><P>Alternatively, is it possible to allow ISE with iPSK Manager to allow any MAC address to connect as long as it has the valid PSK, and then perhaps iPSK Manager then registers that MAC for future connections.</P><P>&nbsp;</P><P>Unfortunately I am after an onboarding process without the need for the client or the customer to onboard their devices <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>Kind regards,</P><P>&nbsp;</P><P>Ian</P> Tue, 27 Apr 2021 19:23:22 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394283#M228796 igaffine 2021-04-27T19:23:22Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394408#M228803 You can just create a catch all rule for end devices that are in the default endpoint group. This way you allow the devices and also capture the device mac address. <BR /> Tue, 27 Apr 2021 23:43:43 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394408#M228803 Scott Fella 2021-04-27T23:43:43Z https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394581#M228816 <P>Hi Scott, Thanks for your reply. Is that default group in iPSK Manager? My example would be migrating three SSIDs for three different 3rd parties, each having different PSKs. We would create one SSID with iPSK, and then tell the 3rd parties to connect to that with their old PSK information. Therefore this catch all could see clients connecting with three different PSKs. Would that work?</P><P>&nbsp;</P><P>Alternatively, we would give them a new PSK and then tell them to use the iPSK onboarding process. But ideally we are looking at a way of doing this without iPSK Manager, as the customer is not comfortable with an unsupported platform.</P><P>&nbsp;</P><P>Am I correct in assuming that wildcard MACs are still not allowed on ISE (as per Haydn's response)?</P><P>&nbsp;</P><P>Any news on whether iPSK Manager is being integrated into ISE?</P><P>&nbsp;</P><P>KR, Ian</P> Wed, 28 Apr 2021 08:04:25 GMT https://community.cisco.com/t5/wireless/ipsk-without-mac-address/m-p/4394581#M228816 igaffine 2021-04-28T08:04:25Z