If you are using Cisco Identity Services Engine (ISE) as your AAA server, it supports RADIUS and TACACS protocols including vendor-specific attributes (VSAs).

Go crazy with VSAs from For download: RADIUS Vendor Dictionaries for 3rd Parties and import them in ISE under
𑁔 > Policy > Policy Elements > Dictionaries > System > Radius > Radius Vendor

Hey Thomas,

Thanks for providing that info on VSA's! Unfortunately the issue isn't that ISE doesn't support the necessary VSA's, but rather that ISE doesn't have the logic and backend database that is maintaining the active PSK -> VLAN bindings. I understand that we can do an AuthZ profile to AAA override a VLAN based on PSK, but this requires that an endpoint MAC is identified, which would just be iPSK instead of E-PSK. With Easy PSK we eliminate the requirement for devices' MAC addresses to be input in order to get the correct PSK match, rather if a client authenticates with a specific PSK it is automatically provided with the correct AAA override. This process allows headless device onboarding, and never requires a client device to leverage a portal or have its MAC manually placed in the endpoint database. 

Thanks!

So what do we match on in ISE to then return a vlan?  Are we somehow matching on the PSK each client provides and based on that returning a VLAN?  If so what radius attribute do we match on?  I've done a test to see what radius attributes are sent in the auth request and I don't see anything like a PSK I can use.  The radius request does include an av pair value of SSID name: followed by a lengthy hex number.  Is that the attribute to match on ?

@JoshPlemons Any updates on if ISE will support this or what I need to call it if I speak to the two supported AAA vendors- Nomadix and Eleven Software?
Like Kevin has asked what radius attribute is the radius server matching on to identify the PSK?

Also @KevinR99 

Thanks for the patience on my reply, I missed the original request and just saw today's activity. As for the first question surrounding what we match on, I am not sure of the exact details and I don't know how much I can share due to NDA - however I think I can say that we are at a bare minimum matching against PSK (obviously). I do not think ISE support for this feature is currently in the pipeline, but that would be a question for our Wireless Development Team (WNBU). If you would like more details I highly recommend reaching out to your Cisco sales engineering resource for your account, and have them put in a request (the more the merrier, as I would love to see ISE supported). Also, I highly recommend checking out the Meraki WPN solution. It's an awesome evolution of the same idea as EPSK (seamless onboarding of headless wireless devices - aka devices that cant do a captive portal can jump on the network with the user's PSK and get passed the right VLAN); the primary difference being that WPN actually doesn't rely on AAA at all! It's fully native and can incorporate portals and other ecosystem integrations as needed, but doesn't require a third party service like EPSK.

As for how this is different from ISE and why it doesn't work: the primary difference is that in Eleven's EKMS solution, they are maintaining a database of allowed PSK's to match against, and each of those PSK's has certain AAA overrides associated (such as VLAN). This doesn't focus on the MAC as much as something as iPSK, and the issue with ISE is that we do not maintain a list of PSK's anywhere. On ISE we do MAB against the supplicant and match their MAC address in the Authorization Policy to the appropriate PSK in an Authorization Profile, while Eleven checks against a full database for allowed PSKs - for EPSK we do not rely on the client MAC address to check against for initial auth, as the idea for seamless onboarding is that if a user onboards with a PSK that is allowed, they are authenticated and that device is given the proper VLAN based on the PSK they used.

Let me know if you have any other questions!

Also - some of the new AV-pairs, including VSA's, are as follows:

• cisco-anonce
• cisco-8021x-data
• cisco-bssid
• cisco-site-name

Please take a look at those for more information. 

Bingo! Thanks for adding that context here.