05-10-2019 07:35 AM - edited 07-05-2021 10:22 AM
Hello Community,
I've been searching the Internet for products or tools that will dynamically assign a wireless PSK to clients without human or manual intervention. I would also like to be able to use this with our existing Cisco wireless infrastructure with the ability to use ISE for identity authentication/authorization. Is there such a product that is supported by Cisco? The only vendor I can find that has this type of ability is Ruckus. MS InTune also has the ability to to push custom wifi profiles but I believe the InTune agent has to be installed so medical devices that don't have much of an interface won't be able to take advantage. I know with WLC 8.5, I can do iPSK but we would still have to configure each device with the PSK manually.
What I'm looking for is something that will generate and push the wifi PSK to a client without having the administrative burden of configuring every single device with the key and then having to reconfigure when the key is rotated.
Thanks,
Terence Lockette
05-10-2019 08:15 AM
Like iPSK?
05-10-2019 08:22 AM
Something like that or that can assign a wifi profile or key to a device without having to manually enter it on the client device. From my understanding, iPSK would still require someone to enter the unique key on the device that will be accepted by the RADIUS server, correct? If so, iPSK would get us 95% there but the other 5% would be to configure the client device automatically upon associating to the SSID without manually entering the key. I understand that we'll still need to manually connect the client to the WLAN but after that, the network would take care of the rest.
Hope that makes sense regarding what I'm looking to do.
05-10-2019 09:47 AM
I really really hope your medical equipment does not allow any remote WiFi network that it has never connected to before to remotely configure its WiFi security settings (PSK in this case). If it does, please for the safety of your patients, turn off and remove that equipment from your network immediately.
05-10-2019 09:51 AM
05-13-2019 06:02 AM
05-14-2019 07:52 PM
iPSK behaviour is identical to PSK, except that the WLC does a quick check with the Radius Server (can be ISE or anything else) whether there is a custom PSK or not. If the MAC address is not found on the Radius Server, then the Radius Server can do one of two things
- send a Reject to WLC and client won't connect. This is strict mode - in other words, if your MAC address is not on the Radius Server then I don't care what PSK your client has, I will refuse to accept you.
- send an Accept to the WLC and then the client PSK and WLAN PSK have to match. I call this the "compatibility mode" - it's great in deployments where you want to be non-disruptive with the existing clients whose MAC address you may never want to have controlled by the Radius Server. It gives you control over which clients you want to control using iPSK (create groups of devices that have their own PSK)
Failing that - if you want plug and play then perhaps MAB or 802.1X is the other option. But that comes with its own headaches.
There is no free lunch ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide