Skip to content
Deployment

Requirements and dependencies

EasyPSK supports three integration paths. The two RADIUS-based paths (Cisco Meraki with RADIUS, and Cisco Catalyst 9800), delivered by the EasyPSK via RADIUS variant, are the primary delivery. The Cisco Meraki API integration (Identity PSK without RADIUS) is the secondary, Meraki-proprietary path. Requirements differ between them.

EasyPSK acts as an external RADIUS server. No upper limit on iPSK count, RADIUS-driven.

  • MR 30.6 or newer is required. MR 30.1 introduces WPN over RADIUS but Cisco recommends 30.6 for important bug fixes.
  • Outbound RADIUS or RADsec reachability from Meraki Dashboard infrastructure to the context’s RADIUS endpoint(s). Hostname and per-context authentication, accounting, and RadSec ports are shown under the context’s Network Integration; alternatively the path runs privately over Service Connector.
  1. SSID security: Identity PSK with RADIUS.
  2. Configure Netgraph’s RADIUS endpoint(s) on the SSID.
  3. Client IP and VLAN: External DHCP server assigned (Bridged) — NAT mode is unsupported.
  4. Where the design uses Cisco UDN, the VSA udn:private-group-id=<id> (lowercase, valid range 216777200) is returned via the context’s Attribute Profiles.

Cisco Catalyst 9800 — RADIUS integration

Section titled “Cisco Catalyst 9800 — RADIUS integration”

EasyPSK acts as an external RADIUS server for the WLC.

EasyPSK supports the Catalyst 9800 wireless controller family. The Catalyst “Easy PSK” feature runs in Local mode (central switching, no FlexConnect) and requires IOS-XE 17.6.1 or later. Consult Cisco’s EasyPSK Deployment Guide for Catalyst 9800 for the IOS XE releases that match your specific AP and controller combination.

EasyPSK is reachable as a cloud-hosted RADIUS service. Choose one of:

  • RADsec (RADIUS over TLS) on the context’s RadSec port — recommended for cloud-hosted RADIUS.
  • IPSec via Service Connector, with the RADIUS path carried inside the tunnel.
  1. Configure an AAA RADIUS server group pointing at Netgraph’s RADIUS endpoint(s), with the authentication, network-authorization, and accounting method lists.
  2. Set the WLAN security to the Easy-PSK AKM with MAC filtering, and bind it to a policy profile. The key is returned as the psk= / psk-mode Cisco AV-pairs, not Tunnel-Password.
  3. Enable Allow AAA Override on the policy profile, or the controller ignores the RADIUS-returned key and VLAN.
  4. Follow Cisco’s deployment guide for the exact CLI and policy-profile steps.

By meeting these requirements, the integration with Cisco’s per-user PSK capability will be optimized for performance, reliability, and security.


Cisco Meraki — Identity PSK without RADIUS (API integration)

Section titled “Cisco Meraki — Identity PSK without RADIUS (API integration)”

Driven by the Meraki Dashboard API; up to 5,000 iPSKs per Meraki network.

MR Family

Supported Models

Minimum Firmware Version

Wi-Fi 6E

MR57, CW9166/64/62I-MR, CW9166D1-MR, CW9163E-MR

MR 29.4.1 or newer

Wi-Fi 6

MR45, MR55, MR28, MR36, MR36H, MR44, MR46, MR46E, MR56, MR76, MR86, MR78

MR 29.4.1 or newer

Wi-Fi 5 Wave 2

MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84

MR 29.4.1 or newer

  • Generate a Cisco Meraki Dashboard API key. See Cisco Meraki Dashboard API documentation.
  • Access level:
    • Template-based integration: Organizational API access (Read/Write).
    • Network-based integration: Network API access (Read/Write).
  1. Configure the target SSID in the Cisco Meraki Dashboard.
  2. Enable Identity PSK without RADIUS.
  3. Set Client IP and VLAN to External DHCP server assigned (Bridged).

Next