Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2798
Views
2
Helpful
4
Replies

Catalyst 9800 iPSK without RADIUS

Go to solution
steve.blunt
Level 3
Level 3

‎08-28-2024 04:24 AM

Does anyone know if it is possible yet to leverage iPSK on Catalyst 9800 without the need for ISE integration? The ask form one of our customers is:

- To be able to leverage a single SSID with up to 10 separate iPSK groups, with the ability to assign each iPSK group to a different VLAN and apply a per VLAN based QoS policy. The end user devices should not leverage a http/https on boarding portal or usage policy splash screen as some devices will not support web interfaces i.e. they are IoT appliances. The end users will not have time to provide their devices MAC address in advance nor be burdened with the need to do so once on site.

So the required access is effectively PSK based in the 2.4 and 5 Ghz spectrums, iPSK groups map to a VLAN/QoS policy. A Cisco UDN Plus solution is not practical.

The customer has the latest series 91xx APs, 9800 WLC, Catalyst Centre with Advantage licensing.

Is the above configuration possible, are there any scaling issues or dependencies?


Many thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎09-01-2024 01:36 PM

you need ISE or radius for iPSK 
MHM

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎08-28-2024 05:00 AM - edited ‎08-28-2024 05:03 AM

 

  - Check if this can help you : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh18572
    + This being for Meraki but perhaps it can contain useful elements : https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
Jason Tyler
Cisco Employee
Cisco Employee

‎08-28-2024 05:20 AM

The solutions currently supported in the 9800 rely upon Mac address.
If you have ISE, then a non-cisco supported tool such as ipsk manager can work with ise to simplify the Mac address overhead.

But, yes, the iPSK feature can work with other radius servers, e.g. FreeRadius - if that is your question?
Your challenge remains though, with the overhead and management of the Mac addresses - you will need to create a list of MAC in the AAA server to authorise these devices. But then does give you the flexibility to assign vlan etc from the AAA server.

Or were you asking if this can be natively done on the 9800 itself ?
MPSK allows upto x5 separate PSK to be enabled upon a single ssid - no need for any Mac address, and does not need AAA servers etc, but there is no ability to drop these clients into separate vlans using this method either.

On the meraki side, they do have a solution call WPN that does not rely upon Mac addresses, but as you have catalyst, it is unlikely you can take advantage of this approach.

9800 did have a solution called easy-psk that was only ever introduced as a beta in 17.6 code (info in the config guide for 17.6 only)

 

Go to solution
Rich R
VIP
VIP
In response to Jason Tyler

‎09-01-2024 11:56 AM - edited ‎09-01-2024 11:56 AM

EasyPSK is still radius based, and only works when the AP is in Local Mode - not supported at all if the AP is in Flexconnect Mode.

Nice guide for doing iPSK with FreeRadius: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/

More discussion here https://www.reddit.com/r/Cisco/comments/1bznm8m/wifi_devices_without_wpa23_enterprise_mpsk_ipsk/

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-01-2024 01:36 PM

you need ISE or radius for iPSK 
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card