topic Re: Catalyst 9800 iPSK without RADIUS in Wireless

Catalyst 9800 iPSK without RADIUS

steve.blunt — Wed, 28 Aug 2024 11:24:45 GMT

Does anyone know if it is possible yet to leverage iPSK on Catalyst 9800 without the need for ISE integration? The ask form one of our customers is:

- To be able to leverage a single SSID with up to 10 separate iPSK groups, with the ability to assign each iPSK group to a different VLAN and apply a per VLAN based QoS policy. The end user devices should not leverage a http/https on boarding portal or usage policy splash screen as some devices will not support web interfaces i.e. they are IoT appliances. The end users will not have time to provide their devices MAC address in advance nor be burdened with the need to do so once on site.

So the required access is effectively PSK based in the 2.4 and 5 Ghz spectrums, iPSK groups map to a VLAN/QoS policy. A Cisco UDN Plus solution is not practical.

The customer has the latest series 91xx APs, 9800 WLC, Catalyst Centre with Advantage licensing.

Is the above configuration possible, are there any scaling issues or dependencies?

Many thanks

Re: Catalyst 9800 iPSK without RADIUS

Mark Elsen — Wed, 28 Aug 2024 12:03:01 GMT

- Check if this can help you : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh18572
+ This being for Meraki but perhaps it can contain useful elements : https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

Re: Catalyst 9800 iPSK without RADIUS

Jason Tyler — Wed, 28 Aug 2024 12:20:47 GMT

The solutions currently supported in the 9800 rely upon Mac address.
If you have ISE, then a non-cisco supported tool such as ipsk manager can work with ise to simplify the Mac address overhead.

But, yes, the iPSK feature can work with other radius servers, e.g. FreeRadius - if that is your question?
Your challenge remains though, with the overhead and management of the Mac addresses - you will need to create a list of MAC in the AAA server to authorise these devices. But then does give you the flexibility to assign vlan etc from the AAA server.

Or were you asking if this can be natively done on the 9800 itself ?
MPSK allows upto x5 separate PSK to be enabled upon a single ssid - no need for any Mac address, and does not need AAA servers etc, but there is no ability to drop these clients into separate vlans using this method either.

On the meraki side, they do have a solution call WPN that does not rely upon Mac addresses, but as you have catalyst, it is unlikely you can take advantage of this approach.

9800 did have a solution called easy-psk that was only ever introduced as a beta in 17.6 code (info in the config guide for 17.6 only)

Re: Catalyst 9800 iPSK without RADIUS

Rich R — Sun, 01 Sep 2024 18:56:32 GMT

EasyPSK is still radius based, and only works when the AP is in Local Mode - not supported at all if the AP is in Flexconnect Mode.

Nice guide for doing iPSK with FreeRadius: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/

More discussion here https://www.reddit.com/r/Cisco/comments/1bznm8m/wifi_devices_without_wpa23_enterprise_mpsk_ipsk/

Re: Catalyst 9800 iPSK without RADIUS

MHM Cisco World — Sun, 01 Sep 2024 20:36:16 GMT

you need ISE or radius for iPSK
MHM