Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2360
Views
15
Helpful
5
Replies

IPSK without MAC address

Emiliano Luca
Level 1
Level 1

‎09-18-2019 01:57 AM - edited ‎07-05-2021 11:01 AM

I would like to use IPSK  and I undestrood it works like this:

-I will configure one only common SSID
-user who will connect to IPSK_SSID and use PSK_123   will be connected to VLAN  123
-user who will connect to IPSK_SSID and use PSK_456   will be connected to VLAN  456

-user who will connect to IPSK_SSID and use PSK_789   will be connected to VLAN  789

And this will be great.

 

What is not clear to me is: before any user will be able to use PSK_XXX  do  I need to know  his  MAC address?

Is it really mandatory to know their mac address   before they will be able to connect to the IPSK  SSID ?

Is there any way to bypass this with a wildcard that acceprt any mac and checks only  PSK  to decide to admit or not the clients?
My goal is to admit all clients that have the correct PSK   because (for many reasons)  I'm not able to produce a coplete database of all mac address they have now and particularly I'm not able to foresee what mac they will have in the future. 


Thank you in advance for your help

3 people had this problem
Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎09-18-2019 06:07 AM

Hi

 Yes, you do. There´s no wild card for mac address as it can change significantly according with the vendor.

 

This link below will drive you very very well on this configuration, including RADIUS. 

https://ripplesinharmony.wordpress.com/2019/03/11/implementing-cisco-ipsk-with-ise/

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Haydn Andrews
VIP Alumni
VIP Alumni

‎09-18-2019 10:24 PM

Correct you need to add their MAC addresses to your RADIUS server before they can connect. No wildcards unfortunately.

Keep an eye out as Cisco was talking about releasing something around on boarding IOT devices for this use case to save having to manually adding every MAC address. This was mentioned at MFD4

 

 

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

igaffine
Level 1
Level 1

‎04-27-2021 12:23 PM

Hi Community,

 

Just wanted to get an update on this topic in case changes have occurred in later ISE versions. As with the original poster of this topic, I have a similar situation where a customer would like to rationalise a number of PSK services using iPSK, however, they don't have a complete list of devices & MAC addresses as these are 3rd systems that come on the network as and when. 

 

Ideally if iPSK would allow any MAC address to connect as long as they had the valid PSK, then this would tick the box. I have seen the onboarding iPSK portal with iPSK Manager, which looks really good, but does not fit my customer requirement this time. The customer could look to run reports on the clients connecting to the wireless services via Prime Infrastructure and capture the MAC addresses over time, but this could take time too.

 

Alternatively, is it possible to allow ISE with iPSK Manager to allow any MAC address to connect as long as it has the valid PSK, and then perhaps iPSK Manager then registers that MAC for future connections.

 

Unfortunately I am after an onboarding process without the need for the client or the customer to onboard their devices

 

Kind regards,

 

Ian

Scott Fella
Hall of Fame
Hall of Fame
In response to igaffine

‎04-27-2021 04:43 PM

You can just create a catch all rule for end devices that are in the default endpoint group. This way you allow the devices and also capture the device mac address.
-Scott
*** Please rate helpful posts ***
0 Helpful

igaffine
Level 1
Level 1
In response to Scott Fella

‎04-28-2021 01:04 AM

Hi Scott, Thanks for your reply. Is that default group in iPSK Manager? My example would be migrating three SSIDs for three different 3rd parties, each having different PSKs. We would create one SSID with iPSK, and then tell the 3rd parties to connect to that with their old PSK information. Therefore this catch all could see clients connecting with three different PSKs. Would that work?

 

Alternatively, we would give them a new PSK and then tell them to use the iPSK onboarding process. But ideally we are looking at a way of doing this without iPSK Manager, as the customer is not comfortable with an unsupported platform.

 

Am I correct in assuming that wildcard MACs are still not allowed on ISE (as per Haydn's response)?

 

Any news on whether iPSK Manager is being integrated into ISE?

 

KR, Ian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card