cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

117
Views
5
Helpful
2
Replies
Enthusiast

iPSK -- Which ISE is this supported on? Seems to be contradictions everywhere on platform version.

I'm trying to set up the iPSK in a lab, WLC on 8.5.140 and ISe 2.2 Patch 15, using Policy Sets

 

I've got mostly everything working, but when I put the PSK in, the device hits the policy and passes authentication, but then the device says invalid key, tried on several devices.

 

Seems like comments on the forums say that iPSK isn't support on 2.2 need at least 2.3 to work, then there is an Cisco Doc that says 2.2 https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html  which has been followed to the letter, but seems to be an issue.

 

Is there issues with 2.2 dropping clients, have changed timeouts, but doesn't seem to work.  As this is a LAB, not under support with TAC.

 

cheers

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: iPSK -- Which ISE is this supported on? Seems to be contradictions everywhere on platform version.

I've had a customer with 8.5.140 and 2.2, they following the same guide you linked and it worked. Did you see the conclusion and rule these out?

Conclusion
Controller that has Mac Filtering and AAA overide enabled with ISE configured, will allow IPSK configured devices connect to WLAN with MAC addresses configured on ISE.
Devices with MAC addresses configured on ISE will not be able to connect to WLAN generic PSK but only with IPSK configured for that device.
Devices with no-MAC addreses configured on ISE will be able to connect to WLAN with generic PSK only.
IPSK is not supported on the Flex Connect locally switched mode. AAA server is required with AV-Pair support.
IPSK is not supported on the Flex Connect Group.
IPSK supports FSR and key caching is done fo faster roams to avoid RADIUS connect on every roam.
To enable validitsy of the IPSK at certain scheduled times - the time schedule/validity can be exploited using radius session-timeout attribute in radius response.

2 REPLIES 2
VIP Advocate

Re: iPSK -- Which ISE is this supported on? Seems to be contradictions everywhere on platform version.

I've had a customer with 8.5.140 and 2.2, they following the same guide you linked and it worked. Did you see the conclusion and rule these out?

Conclusion
Controller that has Mac Filtering and AAA overide enabled with ISE configured, will allow IPSK configured devices connect to WLAN with MAC addresses configured on ISE.
Devices with MAC addresses configured on ISE will not be able to connect to WLAN generic PSK but only with IPSK configured for that device.
Devices with no-MAC addreses configured on ISE will be able to connect to WLAN with generic PSK only.
IPSK is not supported on the Flex Connect locally switched mode. AAA server is required with AV-Pair support.
IPSK is not supported on the Flex Connect Group.
IPSK supports FSR and key caching is done fo faster roams to avoid RADIUS connect on every roam.
To enable validitsy of the IPSK at certain scheduled times - the time schedule/validity can be exploited using radius session-timeout attribute in radius response.

Enthusiast

Re: iPSK -- Which ISE is this supported on? Seems to be contradictions everywhere on platform version.

cheers for confirming.

 

I'll make this live on the live network to rule out the lab.

I've checked every tick box several times, want to make sure it works for weekend or it will bug me.