Re: Cisco WLC 5520 AireOS - iPSK Internal

Agung1007 · ‎12-04-2023

Hi team,

Just want to ask,

can we implement Wireless WLAN iPSK without ISE ?

*like in the Meraki?

I already search the documentation but seems like it need ISE to "seperate" the PSK and need to register the MAC Address of the client

*i think it's not possible when the environment is a lot of client (>1000 client) if we need to register the MAC Address client first for iPSK

Thanks,
Best Regards.

MHM Cisco World · ‎12-04-2023

I dont think wlc 5500 series support iPSK' it support in 9800 series. (I will check this point).

Second no way use iPSK without ISE.

MHM

Agung1007 · ‎12-04-2023

From the documentation,

on AireOS >8.5
it supported for iPSK

but i still havent found if the iPSK able to do without ISE
and need to register the MAC

MHM Cisco World · ‎12-04-2023

Cisco mention radius server not mention ISE exactly.

If you have radius server try config it.

You can use client profile (one password to each user) or you can use AP location (one password for each location).

I think second option more easy to config.

MHM

alisha_rascon01 · ‎12-04-2023

Cisco Wireless LAN Controllers (WLCs) with AireOS software did not natively support iPSK (Identity Pre-Shared Key) without the use of Cisco Identity Services Engine (ISE). However, software features and capabilities may have evolved since then, so it's advisable to check the latest documentation or release notes for your specific WLC version.

JPavonM · ‎12-04-2023

Yes this is posible to use iPSK on MS NPS and Forescout, to mention some.

The problem with using MS NPS is that you need to setup a new account at the DC for every MAC address you want to register to use the iPSK, so that would be a pain to make it work, specially for your IT Admins.

Rich R · ‎12-06-2023

As the others have said it is only supported using Radius. Cisco would like you to use ISE but any suitably configured radius will work. If you have software developers who understand radius and know how to configure Free Radius then you could even write your own solution to work the way you want but otherwise you're stuck with the existing options already mentioned.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390