Solved: MPSK how do I know which client uses which preshared-key.

Geert Reijnders · ‎12-14-2022

Hi all,

I configured a WLAN on our Catalyst 9800 controller with MPSK. It works fine and can connect with one of the preshared keys.

However, how do I know which key does the client uses? I don't need to see the entitry preshared key, only the priority.

I need to know this, because we want to build some kind of rotation in the keys, and the old ones, need to be switched to one of the newer.

Goes anyone nows how I can see this?

Thanks!

Kind regards,

Geert Reijnders

Scott Fella · ‎12-14-2022

I don't think you will find that info using mpsk. Maybe it is something you can request from Cisco as a new feature. For any rotation, do you feel like you can't give a team a deadline before you rotate the psk? iPSK with radius you might be able to define policies for specific psk and then review the log to check if devices are still using a specific psk.

-Scott
*** Please rate helpful posts ***

View solution in original post

marce1000 · ‎12-14-2022

- Check if you can find anything useful with : 9800 # show wireless client mac-address a886.adb2.05f9 detail (sorry for font and color change, not my intend) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Geert Reijnders · ‎12-14-2022

Unfortunatly not. I even did a radioactive trace to see if I could find any information.

Scott Fella · ‎12-14-2022

I don't think you will find that info using mpsk. Maybe it is something you can request from Cisco as a new feature. For any rotation, do you feel like you can't give a team a deadline before you rotate the psk? iPSK with radius you might be able to define policies for specific psk and then review the log to check if devices are still using a specific psk.

-Scott
*** Please rate helpful posts ***

Geert Reijnders · ‎12-14-2022

I think I will go for iPSK with radius. So I can see when all devices are migrated with the new PSK. The problem with the deadline is, that there are many devices (mostly handheld scanners) which are constantly on the move. So I don't think the team can keep track of which devices are migrated.

Scott Fella · ‎12-14-2022

I have always ran into this in the past, where teams just don't do it or they don't take responsibility. I have made them test when the rotation starts and have them sign off/agree on the cut date. Then the blame doesn't come to the network team, but the team responsible for the device. It has worked out better that way, because we all know what we are responsible for. Like in warehouses, they know when they can obtain the scanners to reconfigure them, its all about planning and giving them enough time to make their change. There will be devices that fall of or never got changed, but there is no blaming and teams just fix those one off devices. Good luck!

-Scott
*** Please rate helpful posts ***