Buy or Renew
Buy or Renew
ATTENTION: We are currently working an issue with posting. Thank you for your patience while we work on a resolution.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
5
Helpful
2
Replies

iPSK -- Which ISE is this supported on? Seems to be contradictions everywhere on platform version.

Go to solution
craiglebutt
Level 4
Level 4

‎10-10-2019 07:41 AM - edited ‎10-10-2019 07:42 AM

I'm trying to set up the iPSK in a lab, WLC on 8.5.140 and ISe 2.2 Patch 15, using Policy Sets

 

I've got mostly everything working, but when I put the PSK in, the device hits the policy and passes authentication, but then the device says invalid key, tried on several devices.

 

Seems like comments on the forums say that iPSK isn't support on 2.2 need at least 2.3 to work, then there is an Cisco Doc that says 2.2 https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html  which has been followed to the letter, but seems to be an issue.

 

Is there issues with 2.2 dropping clients, have changed timeouts, but doesn't seem to work.  As this is a LAB, not under support with TAC.

 

cheers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-10-2019 09:20 AM

I've had a customer with 8.5.140 and 2.2, they following the same guide you linked and it worked. Did you see the conclusion and rule these out?

Conclusion
Controller that has Mac Filtering and AAA overide enabled with ISE configured, will allow IPSK configured devices connect to WLAN with MAC addresses configured on ISE.
Devices with MAC addresses configured on ISE will not be able to connect to WLAN generic PSK but only with IPSK configured for that device.
Devices with no-MAC addreses configured on ISE will be able to connect to WLAN with generic PSK only.
IPSK is not supported on the Flex Connect locally switched mode. AAA server is required with AV-Pair support.
IPSK is not supported on the Flex Connect Group.
IPSK supports FSR and key caching is done fo faster roams to avoid RADIUS connect on every roam.
To enable validitsy of the IPSK at certain scheduled times - the time schedule/validity can be exploited using radius session-timeout attribute in radius response.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-10-2019 09:20 AM

I've had a customer with 8.5.140 and 2.2, they following the same guide you linked and it worked. Did you see the conclusion and rule these out?

Conclusion
Controller that has Mac Filtering and AAA overide enabled with ISE configured, will allow IPSK configured devices connect to WLAN with MAC addresses configured on ISE.
Devices with MAC addresses configured on ISE will not be able to connect to WLAN generic PSK but only with IPSK configured for that device.
Devices with no-MAC addreses configured on ISE will be able to connect to WLAN with generic PSK only.
IPSK is not supported on the Flex Connect locally switched mode. AAA server is required with AV-Pair support.
IPSK is not supported on the Flex Connect Group.
IPSK supports FSR and key caching is done fo faster roams to avoid RADIUS connect on every roam.
To enable validitsy of the IPSK at certain scheduled times - the time schedule/validity can be exploited using radius session-timeout attribute in radius response.

Go to solution
craiglebutt
Level 4
Level 4
In response to Damien Miller

‎10-10-2019 02:48 PM

cheers for confirming.

 

I'll make this live on the live network to rule out the lab.

I've checked every tick box several times, want to make sure it works for weekend or it will bug me.

 

0 Helpful
Customers Also Viewed These Support Documents