08-28-2024 04:24 AM
Does anyone know if it is possible yet to leverage iPSK on Catalyst 9800 without the need for ISE integration? The ask form one of our customers is:
- To be able to leverage a single SSID with up to 10 separate iPSK groups, with the ability to assign each iPSK group to a different VLAN and apply a per VLAN based QoS policy. The end user devices should not leverage a http/https on boarding portal or usage policy splash screen as some devices will not support web interfaces i.e. they are IoT appliances. The end users will not have time to provide their devices MAC address in advance nor be burdened with the need to do so once on site.
So the required access is effectively PSK based in the 2.4 and 5 Ghz spectrums, iPSK groups map to a VLAN/QoS policy. A Cisco UDN Plus solution is not practical.
The customer has the latest series 91xx APs, 9800 WLC, Catalyst Centre with Advantage licensing.
Is the above configuration possible, are there any scaling issues or dependencies?
Many thanks
Solved! Go to Solution.
09-01-2024 01:36 PM
you need ISE or radius for iPSK
MHM
08-28-2024 05:00 AM - edited 08-28-2024 05:03 AM
- Check if this can help you : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh18572
+ This being for Meraki but perhaps it can contain useful elements : https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS
M.
08-28-2024 05:20 AM
The solutions currently supported in the 9800 rely upon Mac address.
If you have ISE, then a non-cisco supported tool such as ipsk manager can work with ise to simplify the Mac address overhead.
But, yes, the iPSK feature can work with other radius servers, e.g. FreeRadius - if that is your question?
Your challenge remains though, with the overhead and management of the Mac addresses - you will need to create a list of MAC in the AAA server to authorise these devices. But then does give you the flexibility to assign vlan etc from the AAA server.
Or were you asking if this can be natively done on the 9800 itself ?
MPSK allows upto x5 separate PSK to be enabled upon a single ssid - no need for any Mac address, and does not need AAA servers etc, but there is no ability to drop these clients into separate vlans using this method either.
On the meraki side, they do have a solution call WPN that does not rely upon Mac addresses, but as you have catalyst, it is unlikely you can take advantage of this approach.
9800 did have a solution called easy-psk that was only ever introduced as a beta in 17.6 code (info in the config guide for 17.6 only)
09-01-2024 11:56 AM - edited 09-01-2024 11:56 AM
EasyPSK is still radius based, and only works when the AP is in Local Mode - not supported at all if the AP is in Flexconnect Mode.
Nice guide for doing iPSK with FreeRadius: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/
More discussion here https://www.reddit.com/r/Cisco/comments/1bznm8m/wifi_devices_without_wpa23_enterprise_mpsk_ipsk/
09-01-2024 01:36 PM
you need ISE or radius for iPSK
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide