cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
509
Views
2
Helpful
4
Replies

Catalyst 9800 iPSK without RADIUS

steve.blunt
Level 1
Level 1

Does anyone know if it is possible yet to leverage iPSK on Catalyst 9800 without the need for ISE integration? The ask form one of our customers is:

- To be able to leverage a single SSID with up to 10 separate iPSK groups, with the ability to assign each iPSK group to a different VLAN and apply a per VLAN based QoS policy. The end user devices should not leverage a http/https on boarding portal or usage policy splash screen as some devices will not support web interfaces i.e. they are IoT appliances. The end users will not have time to provide their devices MAC address in advance nor be burdened with the need to do so once on site.

So the required access is effectively PSK based in the 2.4 and 5 Ghz spectrums, iPSK groups map to a VLAN/QoS policy. A Cisco UDN Plus solution is not practical.

The customer has the latest series 91xx APs, 9800 WLC, Catalyst Centre with Advantage licensing.

Is the above configuration possible, are there any scaling issues or dependencies?


Many thanks

1 Accepted Solution

Accepted Solutions

you need ISE or radius for iPSK 
MHM

View solution in original post

4 Replies 4

marce1000
VIP
VIP

 

  - Check if this can help you : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh18572
    + This being for Meraki but perhaps it can contain useful elements : https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Jason Tyler
Cisco Employee
Cisco Employee

The solutions currently supported in the 9800 rely upon Mac address.
If you have ISE, then a non-cisco supported tool such as ipsk manager can work with ise to simplify the Mac address overhead.

But, yes, the iPSK feature can work with other radius servers, e.g. FreeRadius - if that is your question?
Your challenge remains though, with the overhead and management of the Mac addresses - you will need to create a list of MAC in the AAA server to authorise these devices. But then does give you the flexibility to assign vlan etc from the AAA server.

Or were you asking if this can be natively done on the 9800 itself ?
MPSK allows upto x5 separate PSK to be enabled upon a single ssid - no need for any Mac address, and does not need AAA servers etc, but there is no ability to drop these clients into separate vlans using this method either.

On the meraki side, they do have a solution call WPN that does not rely upon Mac addresses, but as you have catalyst, it is unlikely you can take advantage of this approach.

9800 did have a solution called easy-psk that was only ever introduced as a beta in 17.6 code (info in the config guide for 17.6 only)

 

EasyPSK is still radius based, and only works when the AP is in Local Mode - not supported at all if the AP is in Flexconnect Mode.

Nice guide for doing iPSK with FreeRadius: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/

More discussion here https://www.reddit.com/r/Cisco/comments/1bznm8m/wifi_devices_without_wpa23_enterprise_mpsk_ipsk/

you need ISE or radius for iPSK 
MHM

Review Cisco Networking for a $25 gift card