Implement the service
Overview
Section titled “Overview”Netgraph EasyPSK is delivered as a SaaS service. It integrates with Cisco wireless infrastructure using one of three paths, depending on platform and scale. The two RADIUS-based paths (Cisco Meraki and Cisco Catalyst 9800) are the primary delivery: the SSID points at EasyPSK acting as the RADIUS server, keys resolve at connect time (100,000+ keys, horizontally scalable), and they are delivered as the EasyPSK via RADIUS variant — created and managed as a context variant of EntryPoint. The Cisco Meraki WPN path uses the Dashboard API and remains available as the secondary, Meraki-proprietary delivery.
| Platform | Integration | Status | When to use |
|---|---|---|---|
| Cisco Meraki | RADIUS | Available | The primary delivery: keys resolved at connect time, 100,000+ keys and horizontally scalable; three security flavours and per-group controls |
| Cisco Catalyst 9800 | RADIUS | Available | Per-user PSK resolved by RADIUS; transport secured by RadSec or Service Connector |
| Cisco Meraki (WPN) | Dashboard API | Available | Cloud-to-cloud with no RADIUS path; up to 5,000 iPSKs per Meraki network |
All integrations terminate at the Netgraph Connection Point — host URLs are listed in the NCP Administration portal and depend on the chosen SaaS delivery option (Global Cloud or Nordic Sovereign Cloud).
1. Cisco Meraki — RADIUS integration
Section titled “1. Cisco Meraki — RADIUS integration”Used by Meraki’s Identity PSK with RADIUS security mode. EasyPSK acts as an external RADIUS server: the key a device presents identifies its group, and per-group network attributes (VLANs, Cisco AV-pairs such as the Cisco UDN VSA) are returned in ACCESS-ACCEPT via the context’s Attribute Profiles.
Vendor-specific attribute (where used): udn:private-group-id=<id> (Cisco VSA 1, lowercase). Valid id range is 2–16777200 (UDN ID 1 is reserved). Configured via the context’s Attribute Profiles.
Transport security
- RadSec (RADIUS over TLS) — recommended for cloud-hosted RADIUS. The context exposes per-context authentication, accounting, and RadSec ports.
- Service Connector (IPSec) — carries the RADIUS traffic privately over an IPSec tunnel instead of the public internet.
Required setup on the Meraki side
- SSID security: Identity PSK with RADIUS.
- Client IP assignment: External DHCP server assigned (Bridged) — NAT mode is not supported.
- Configure the context’s RADIUS endpoint(s) as the SSID’s RADIUS server(s), with the context’s RADIUS client secret, and the accounting server for live sessions.
- WPN checkbox enabled on the SSID, so the access points accept the
udn:private-group-idreturned at authentication. This is what micro-segments the groups: without it every device on the SSID can reach every other, whatever key it joined with. - RADIUS Accounting Device Profiling support enabled, so Meraki streams device-profiling data to EasyPSK.
- AP Name added to the Called-Station-ID list (Advanced RADIUS settings), so EasyPSK sees which access point a device joined through.
Connection point
EasyPSK RADIUS Service— RADIUS (UDP) or RadSec (TLS) on the per-context ports shown under the context’s Network Integration, optionally carried over Service Connector.
2. Cisco Catalyst 9800 — RADIUS integration
Section titled “2. Cisco Catalyst 9800 — RADIUS integration”EasyPSK acts as an external RADIUS server for the Catalyst 9800 wireless LAN controller: the key a device presents identifies its group, and the WLC admits the device with the group’s network attributes.
Transport security
- RadSec (RADIUS over TLS) — recommended for cloud-hosted RADIUS. The context exposes per-context authentication, accounting, and RadSec ports.
- Service Connector (IPSec) — an IPSec tunnel for environments that prefer network-layer protection.
Required setup on the Catalyst 9800
- AAA RADIUS server group pointing at Netgraph’s RADIUS endpoint(s), plus the authentication, network-authorization, and accounting method lists.
- WLAN security set to the Easy-PSK AKM with MAC filtering, bound to a policy profile. The WLC returns the per-client key as the
psk=/psk-modeCisco AV-pairs (the Catalyst convention), not theTunnel-Passwordthat Meraki uses. - Allow AAA Override enabled on the policy profile, or the WLC silently ignores the RADIUS-returned key and VLAN. The WLC’s own iPSK tag (peer-blocking) isolates the groups, so no UDN tag is returned on Catalyst.
- Device Classification (Native Profiling) enabled with the policy profile’s accounting list set, so the WLC streams device-profiling data to EasyPSK; set the Called-station-id to an
ap-name-ssidform to carry the AP name.
The Easy PSK feature runs in Local mode (central switching, no FlexConnect) and needs IOS-XE 17.6.1 or later. Refer to Cisco’s EasyPSK Deployment Guide for Catalyst 9800 for the exact CLI/AAA configuration steps.
Connection point
EasyPSK RADIUS Service— RadSec (TLS) on the per-context port, or RADIUS over Service Connector (through the IPSec tunnel).
3. Cisco Meraki WPN — Dashboard API integration
Section titled “3. Cisco Meraki WPN — Dashboard API integration”The Cisco Meraki WPN (Wireless Private Network) feature, using Meraki’s Identity PSK without RADIUS security mode. Netgraph EasyPSK pushes per-unit PSKs to the Meraki Dashboard over the Dashboard API, and the MR access points then serve each unit its own key. No RADIUS and no on-site gateway are involved.
Communication: HTTPS (TLS) between EasyPSK and the Meraki Dashboard API.
Required setup
- Create a Cisco Meraki Dashboard API key with appropriate access rights. Detailed instructions: Cisco Meraki Dashboard API documentation.
- Supported API user access levels:
- Template-based integration: Organizational API access (Read/Write).
- Network-based integration: Network API access (Read/Write).
For guidance on creating API users and assigning access levels, visit Managing Dashboard Administrators and Permissions.
Connection point
EasyPSK API Service— HTTPS outbound from Meraki Dashboard infrastructure.