Showing results for 
Search instead for 
Did you mean: 




I do have to migrate some of our SSID into 1 single SSID. To give you brief background about the setup:

1. We currently have 5 ssid(ex ss1,ss2,ss3,ss4,ss5) different vlans for each. all clients that are connecting to the said ssid cannot support dot1.x and they are currently using PSK for security.

2. We will need to migrate those 5 ssid into 1 single ssid ( ex.newssid), use dynamic vlans and integrate it with cisco ISE.

3. since those devices doesn't support the 802.1x, is it possible to use PSK for the authc and integrate it with ISE with dynamic filtering and MAC Add filtering?


11 Replies 11

Angel Castillo

You can use MAB with Endpoint Groups, for example: the devices that connected to SSID1 input in Endpoint Group 01 and you can configure a policy authorization with this group on the condition and the dynamic VLAN in result



you can use one PSK for newssid (on 8.3+ code only), have it configured on all wireless endpoints and then use ISE authorization profile to override WLC interface (VLAN) based on ISE endpoint info (endpoint group, MAC address, profiling, etc.).

Here is document about WPA-PSK and RADIUS (NAC):

Let me know if you need more info.

Hi Mile,

Thanks for your reply.

As I checked, it will be needed to have a CWA.

For my requirements,

- the PSK  and MAC Filtering should be handled by the WLC - Currently working and I can connect to the SSID.

- ISE will be the one who will authorize and provide the dynamic vlan assignment.

the problem is, whenever I connect to the SSID, I cannot see logs on ISE.

how do you guys configure a Authc policy on ISE for the SSID that has PSK security and handled by the WLC?

Thank you.

Hi, it's very simple:

In your scenario, you will not see anything on the ISE because all authentication is done locally via WLC. Of course ISE will not be aware of that

CWA is using MAC filtering to provide authentication via Web Portal for unknow MACs. You can still use ISE to do mac-filtering, but you create policies to be matched based on known MAC address instead of CWA result.

CWA is used to identify unknown PCs, guest access, etc, but even on wireless, you can "whitelist" all devices that do not have web-browsers, like Printers, Roku and Chrome players, projectors, etc. It's same concept for you.


So, you should use PSK on the WLC, then RADIUS NAC and ISE as RADIUS server for MAC address filtering, configure policies for Wireless MAB do not use CWA in your policies, just create policies that will assign specific Endpoint group (pre-filled with known MACs) to specific VLANs.

As I read on cisco docs and I also want it to confirm, CWA is more likely needs to have a splash page/portal right?

Again, you are not using CWA. CWA is portal for authentication based on username/password and requires splash-page and user intervention.

You can use Wireless MAB to do MAC filtering and VLAN assignment, no need to use CWA at all.

Oh very sorry, missed it.

Since the PSK is on WLC, the policy that I should create is on the authorization?

Here's the steps that I made.

- Since there is a upper policy for Wired and Wireless MAB and will use Internal Endpoints, when I do connect to the SSID, It should hit that policy right?

- I created a Endpoint group with the specific MAC Address Inside.

- I created a Authz policy for that Endpoint group  

When I connect to the SSID, Since it will hit the first Authentication Policy which is MAB, it should reflect on the Authentications right? but so far I cannot see my MAC address on the Authentications.

You need to configure SSID to use RADIUS NAC.

Also, on L2 security it should be MAC filtering

On L3 security, make sure you add your ISE servers.

Make sure ISE servers have WLC as AAA Client

Make sure pre-shared key is the same.

There could be multiple reasons why you don't see your MAC address in ISE logs, but it should't be related with your policy configuration.

If policy is wrong, you still should see MAC address, but it would be denied or wrong authorization profile would be applied, but 99% chance is that MAC address will be in the logs.

If you do not see MAC address in the ISE Logs, it's either there is no good communication between WLC and ISE, or WLC is not sending RADIUS requests to ISE...

For radius nac, It's on the NAC State then select RADIUS NAC right?

Got some problem enabling it since when I enable it, it says

"Radius NAC is available only for WLANs that are configured for 802.1x/wpa/wpa2 layer 2 security or open Auth + MAC Filtering

When I use 802.1x it goes fine. but the requirement is it should be PSK not 802.1x

For the L2 Security, its alrady WPA+WPA2 but still cant use RADIUS NAC as the NAC State


as I mentioned WLC 8.3 or newer train (if exists) is required for this. Previous releases of WLC code do not support RADIUS NAC and PSK.

Hi Mile, we have the same issue with trying to use Radius and PSK with WLC prior version to 8.3. I understand that this is a bug.  My question is, if we decide to use Radius NAC without PSK (Open Auth), does that mean our traffic is unencrypted?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: