With WLC Code v8.5, Cisco has introduced a new feature called Identity PSK, also referred to as i PSK.
This post is intended to explain the purpose and benefits of i PSK, as well as show you how to configure the WLC, and ISE for i PSK functionality.
Wouldn’t it be nice to be able to consolidate all of these different devices down to a single PSK SSID, and still be able to provide differentiated access to them? Another example: You manage the wireless network of a school district, and your district purchased low-end netbooks that only support PSK.
You are aware of the security problem that exists if someone gets a hold of the PSK, and shares it with someone… Identity PSK would allow you to have a unique PSK for every one of the netbooks, and the PSK would be bound to the MAC address of the netbook itself.
Even if you are fortunate to have some of the newer devices that support 802.1x, chances are pretty good that some of the devices you are forced to provide connectivity for are likely upwards of a decade old.
Many times, the manufacturers of each of these devices will want their devices to be the only type of device on that subnet.
If an attempt was made to use that PSK on another device, authentication would fail.
When a client authenticates to the wireless network, the WLC checks with the RADIUS server to see if the MAC address exists in the authentication policy.
Only recently have medical devices such as IV Pumps and Mobile X-Ray Carts begun to support 802.1x wireless networks.
If it does, the RADIUS server will respond with an ACCESS-ACCEPT, including the PSK as a Cisco-AVPair (in either ASCII or HEX, depending on how it is configured).
The ACCESS-ACCEPT doesn’t necessarily mean that the client will be allowed on the network.
While this technology is not new to the industry (some other Wi Fi vendors have had different flavors of this available for quite a while), this is the first time we have been able to accomplish this on Cisco hardware.
Because it integrates with a RADIUS server, you can centralize the list of your clients/PSKs, instead of having to maintain lists of them on each WLC. In many environments, you will encounter clients that do not support 802.1x.
An Identity PSK SSID is kind of a hybrid between a PSK SSID and an 802.1x SSID.