WLC 8540 ver.8.10.183.0 - SSID with both PSK and 802.1x security - Page 2

spiz · ‎02-13-2025

Need some advice please, trying to create new SSID with security to include PSK(WPA2+3) as well as 802.1x.

It seems Security Type=Personal only allows for PSK, but 802.1x is for Type=Enterprise.

How can I have both PSK & 802.1x on same SSID, my WLC seems doesn't allow that ?

Scott Fella · ‎02-14-2025

I have done a lot of migrations in my time and I will be honest. Almost all of the time you create a new SSID so that you can understand what devices are using which SSID it also cleans up SSID names which sometimes don’t make sense anymore. When you manage devices either GPO or Intune/MDM, that is really how you can migrate successfully, because you can control the settings, etc.

-Scott
*** Please rate helpful posts ***

Arne Bier · ‎02-16-2025

PSK (Pre-shared Key) and 802.1X are two completely different wifi authentication methods that do not co-exist - it has nothing to do with the WLC - it's just how wireless works. If you want to combine 802.1X with MAC Address Security (i.e. have the WLC or RADIUS server do MAB in addition to 802.1X) then you can do that - on the AireOS controllers you would simply tick the Mac Filtering checkbox in the 802.1X enabled SSID WLAN config - that would do the 802.1X first (IIRC) and then send another Access-Request to the RADIUS server to authenticate the MAC address.

iPSK is for PSK - not for 802.1X

spiz · ‎02-16-2025

Thanks @Arne that si I n d's neat.

So one ssid with 802.1x and mac filtering. Looking for a ref for that now. Any idea where ?

Arne Bier · ‎02-16-2025

I can't find a link for Cisco AireOS controllers, but I did this many years ago, and it was simply a case of ticking the checkbox for MAC Filtering in the 802.1X SSID WLAN profiled. The part I can't recall is whether the MAC filtering stage happens before the 802.1X auth, or vice-versa. Either way, your RADIUS server will need to handle those MAC auths. If you have a lab, try this out, and then do a tcpdump (e..g if your RADIUS server is ISE) and check what the Service-Type attribute is for the MAC auth. I don't recall if it's 'Call-Check' (which is MAB) or 'Framed' (in which case this is a PAP auth). Your ISE server needs Authentication to CONTINUE if 'User Not Found' to allow the handling of unknown MAC addresses.

For the Cisco 9800 controllers, you can check this link

Greg Gibbs · ‎02-16-2025

You likely will not find any Cisco documentation for this use case as enabling Layer 2 MAC Filtering on an 802.1x secured SSID is not a common practice. MAC Filtering is typically only used for use cases involving an Open or PSK SSID with a Captive Portal flow such as Wireless Guest or BYOD.

While it is possible, I'm not sure what the point would be for enabling MAC Filtering an 802.1x secured SSID. Only endpoints that successfully authenticate via 802.1x would be able to join the SSID in the first place, so what value would the MAC Filtering add in this case?

Furthermore, a Cisco WLC will not allow you to configure both PSK and 802.1x on the same SSID. The SSID is either secured by PSK, or secured by 802.1x. This is the error seen on a Cat9800 WLC when trying to configure both.

Regarding the idea of having two SSID Profiles configured on the WLC with the same SSID name, that is likely only possible on the Cisco WLC to allow flexibility for configuring different settings broadcast in different locations using the same SSID name. It would be a terrible idea to have two SSID profiles with the same SSID name being broadcast in the same location. This would only confuse the endpoint wireless supplicant as it would not know which one to join.

MHM Cisco World · ‎02-16-2025

Friend check wpa3 enterprise, this l2 security can use PSK with 802.1x.

....sorry for some delay in reply I am busy....
MHM