Solved: Cisco Identity PSK with two different Passwords

Gehrig_W · ‎04-14-2025

Hello Cisco WLAN Experts,

this university hospital recently started to use Identity PSK for IoT-devices. I changed the configuration of an already existing WLAN for PSK-Authentication of old medical devices not able to use WPA2 in the past, to authenticate now using MAC-authentication-bypass on the ISE. The password and VLAN-information is send by ISE with Cisco-av-pairs and Radius-attributes back to the WLC and the joining WLAN-MAC-address. Works so far so good.

In one of our IoT-use-cases, external emergency services use a special laptop in their abulance cars to be able to transfer vital patient data via our IoT-PSK-WLAN while driving in the underground emergency department where no connectivity to other mobile sevices is possible. This allows our doctors to receive life-important patient data even before the patient is reaching the ambulance-room to help to organize the necessary life-aid-ressources to rescue life of patients coming in via ambulance cars.

The solution works with one password for the abulance team using this laptop. But it can happen also that a doctor is also on board using the same laptop, but with higher credentials. In this case, he is not able to join the WLAN, becaue we woud need a second password for him alss on the same device with same WLAN-MAC-address.

So my question to you:

Is it possible within iPSK to allow two different passwords for the same device ?

This would mean a second Cisco av-pair included in the ISE-answer right ?

Would this be possible ?

Please check and thank You for Your comments.

Kind regards

Wini

marce1000 · ‎04-16-2025

- @Gehrig_W Ref : https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/user_guide/b_cisco_dna_center_ug_2_3_5/m_configure-network-settings.html
>...MPSK is not supported on Cisco AireOS Wireless Controllers

For outage prevention I would more recommend HA-SSO for 9800 controller's, or you could for instance
deploy a 9800-CL controllers as a backup using N+1 high availability.
This is better for managing configurations amongst controllers,
including AP compatibility preserved with the used software version.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎04-14-2025

- You can't have iPSK with two passwords; would Multi-PSK , be a feasible solution ?
Look into https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_multi-preshared_key_or_multi-psk.html
>...In Multi-PSK, two passwords are configured (deadbeef and beefdead) for the same SSID. In this scenario, clients can connect to the network using either of the passwords.

Note that Multi-PSK is different from iPSK. In iPSK, the PSK password comes from ISE authorization policy, so MAB is required. MPSK uses a pool of passwords locally configured in WLAN, so ISE is not used.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Gehrig_W · ‎04-15-2025

Hello Marce1000,

thank You for Your interesting information.

As far as I understand, today I combine PSK for elder equipment with iPSK for IoT-devices. For both types of equipment, I have defined a ruleset, to transfer the old PSK for authentication of old equipment and to transfer the individual PSK for newer IoTs.

Can I combine MPSK and iPSK on the same SSID to allow two passwords on the same device?

Another point is, that we use a pair of 5520-WLCs as fall-back in case of 9800-WLC-outage.

Is MPSK also available on the old 5520-WLCs running on 8.10.190?

I haven't seen MPSK within the GUi there.

Thank You for check and feedback.

Kind regards

Wini

marce1000 · ‎04-16-2025

- @Gehrig_W Ref : https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/user_guide/b_cisco_dna_center_ug_2_3_5/m_configure-network-settings.html
>...MPSK is not supported on Cisco AireOS Wireless Controllers

For outage prevention I would more recommend HA-SSO for 9800 controller's, or you could for instance
deploy a 9800-CL controllers as a backup using N+1 high availability.
This is better for managing configurations amongst controllers,
including AP compatibility preserved with the used software version.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Gehrig_W · ‎04-16-2025

Hello Marce1000,

thank You very much for clarification and Your fast response.

So MPSK as a workaround for iPSK IoT-authentication of devices, where I need two different passwords for different user levels, is only possible on the new 9800-WLC. I will give it a trial.

Thank You very much.

Have a nice easter

Greetings from Frankonia

We need rain !!

Wini

marce1000 · ‎04-16-2025

- @Gehrig_W >... I will give it a trial.
Ok, always validate the controller's (new) configuration with WirelessAnalyzer =
Using the CLI command show tech wireless and feeding the output from that into
Wireless Config Analyzer

Because that will point out fundamental errors , if any
(use the full command as denoted in green ; it does not work with show tech-support )

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '