Re: WLC 8540 ver.8.10.183.0 - SSID with both PSK and 802.1x security

spiz · ‎02-13-2025

Need some advice please, trying to create new SSID with security to include PSK(WPA2+3) as well as 802.1x.

It seems Security Type=Personal only allows for PSK, but 802.1x is for Type=Enterprise.

How can I have both PSK & 802.1x on same SSID, my WLC seems doesn't allow that ?

Leo Laohoo · ‎02-13-2025

iPSK

spiz · ‎02-14-2025

also trying iPSK, but want 802.1x too

MHM Cisco World · ‎02-13-2025

Why you want both ?

MHM

spiz · ‎02-14-2025

have devices working with PSK, but will transition some to work with 802.1x (not all)

Flavio Miranda · ‎02-14-2025

@spiz

Since you are using AirOS, you can create two profile with the same SSID and add PSK in one SSID and 802.1x in the other.

I dont believe you can do both in one SSID.

spiz · ‎02-14-2025

Thanks, but then you have 2 broadcasted, any cisco ref that discuss this ?

Flavio Miranda · ‎02-14-2025

You may find this in some Cisco docs but it does not matter. If they give you this possibiliy it because in some scenario this can be applied and yours seems to be one.

trondaker · ‎02-14-2025

I dont think Aireos allows two SSIDs with the same name - only wlc9800 does that as long as the profile name is different? You cant have two different auth-methods on one SSID either, so you need two different ones for PSK and 802.1x.

spiz · ‎02-14-2025

I can certainly have two same name SSID with different profile, but then its two broadcasted SSID's.

Any references that discuss this is/isn't possible, I haven't been able to locate any ?

I've read that it is possible, but no cisco ref

trondaker · ‎02-14-2025

You’re right, as long as you use id over 16, you can have the same ssid. When you configure a ssid you can see that you can’t enable both at the same time. I guess it’s related to key exchange and eap-methods in enterprise vs personal.

Scott Fella · ‎02-14-2025

I would like to clarify that it has never been possible to configure both PSK (Pre-Shared Key) and 802.1x on a single WLAN profile. You must choose one or the other, as others have already mentioned. Creating a second WLAN with the same SSID but a different profile name essentially creates a separate SSID. The SSID will simply broadcast its beacon according to the compatibility it supports (for example, PSK or 802.1x). Therefore, regardless of the profile name, the system treats each SSID independently, indicating whether it supports PSK, 802.1x, or another authentication method.

The reason you can't find documentation on seeing two SSID being broadcast, is because what you want, isn't how it works. An SSID can only be configured for one, in your example, 802.1x and another SSID for PSK. When you try to configure the WLAN, you should not see an option to do that, or you get an error message.

-Scott
*** Please rate helpful posts ***

spiz · ‎02-14-2025

Thanks @Scott Fella , sounds logical.

I guess I need the user experience to be transparent, where one has a psk device and another 802.1x, as we are to transition. Some can, others can't use certs. But the organisation needs to remain on an ssid that appears to be the same for all, so when we decide and transition it is seamless, even though they may use one with different profile.

I havnt tried this, but if we have one of each with same ssid name & different profile what will the user experience be, when time comes to push out certs to transition. Assuming device gets a valid cert to prioritise on that.

spiz · ‎02-14-2025

On another point, if you have two ssid with same name and different profile for each security type, can they be enabled at same time?

Scott Fella · ‎02-14-2025

Yes it can be enabled at the same time.

-Scott
*** Please rate helpful posts ***