EasyPSK for Cisco Networks
EasyPSK gives every unit, apartment, room, or desk cluster its own Wi-Fi key and its own isolated network, while everyone connects to the same SSID. It is purpose-built for shared-space and residential venues.
Service at a glance
- Purpose
- A private, per-unit Wi-Fi key on a shared Cisco wireless network
- Variants
- EasyPSK via RADIUS (Meraki and Catalyst 9800, the primary delivery) Available · Meraki WPN (Dashboard API) Available
- Best for
- Co-living, student housing, hospitality, co-working
- Licensed by
- Per AP (Meraki WPN), per Unit (EasyPSK via RADIUS), or from the shared EntryPoint endpoint pool
- Key prerequisite
- A Cisco wireless network: Meraki or Catalyst 9800 pointed at the RADIUS service, or Meraki with Dashboard API access for the WPN variant
- Data location
- Global Cloud, or Nordic Sovereign Cloud (data in Sweden)
1. Purpose and use cases
Section titled “1. Purpose and use cases”EasyPSK delivers a “home-like” Wi-Fi experience in a multi-occupant building: each unit has a unique pre-shared key, devices that share a key see each other, and units are isolated from one another. Typical venues are student accommodation, co-living and build-to-rent, hotels and serviced apartments, and co-working spaces, where the operator wants private per-unit networks without managing hardware or a credential system per unit.
2. Service scope and variants
Section titled “2. Service scope and variants”EasyPSK is an umbrella for two delivery variants. They differ in how the key is delivered to the Cisco wireless network.
| Variant | Cisco platform | Key delivery | Status | Key capacity |
|---|---|---|---|---|
| EasyPSK via RADIUS | Meraki and Catalyst 9800 | RADIUS (RadSec or IPsec via Service Connector) | Available | 100,000+ keys, horizontally scalable |
| Meraki WPN | Meraki only | Dashboard API (Identity PSK without RADIUS) | Available | Up to 5,000 keys per Meraki network |
An EasyPSK service context manages per-unit keys on one Cisco wireless network. The RADIUS variant is the primary delivery: Netgraph acts as the SSID’s external RADIUS service, the key a device presents at connection time identifies its group, network attributes are returned per group, and the service handles 100,000+ keys and scales horizontally. The Meraki WPN variant is the secondary, Meraki-proprietary delivery, bounded at 5,000 keys per Meraki network. The RADIUS variant is configured as a context variant of the EntryPoint service, and offers three security flavours per group: Instant (devices auto-register on first connect), Approved (devices must be pre-registered by MAC), and Dedicated (a unique key per device).
3. Key functions
Section titled “3. Key functions”- A unique pre-shared key per unit, on a single shared SSID.
- Network isolation between units at the wireless layer, so occupants reach only their own devices.
- Three security flavours per group in the RADIUS variant — Instant, Approved, and Dedicated — matching onboarding friction to the audience.
- Per-group controls in the RADIUS variant: a device cap, time-bound validity, a recurring schedule, and a device block list.
- Four-eyes device approval on Approved-flavour groups, where a second administrator acknowledges each device registration before admission.
- Kiosk self-enrollment (Online kiosk): a group is created automatically at a user’s first Self-Service login, including from an on-site kiosk screen.
- Self-service for residents and group administrators to manage their own unit, key, and devices.
- Provisioning of keys and group policies through the Cisco Meraki Dashboard (Meraki WPN variant).
- Audit logging of all administrative changes.
4. Architecture and how it works
Section titled “4. Architecture and how it works”In the available Meraki WPN variant, EasyPSK provisions and maintains one Meraki Identity PSK per unit through the Meraki Dashboard, and relies on Meraki’s per-user network isolation so that units stay separated while sharing one SSID. Authentication is by pre-shared key, with no RADIUS server in the path.
Each key is associated with a Meraki group policy according to the chosen strategy:
| Group policy strategy | Behaviour | Trade-off |
|---|---|---|
| Unique | One Meraki group policy is created per unit | Per-unit network shaping; more Meraki policies |
| Shared | All units reference one shared, pre-selected Meraki group policy | Simpler at scale; uniform treatment |
Isolation between units holds under either strategy.
5. Customer requirements and prerequisites
Section titled “5. Customer requirements and prerequisites”Requirements for the available Meraki WPN variant:
| Item | Requirement |
|---|---|
| Wireless | Cisco Meraki network with supported MR access points, firmware 29.4.1 or newer |
| Dashboard API access | A Meraki API key with organization read/write (template-based integration) or network read/write (network-based integration) |
| SSID state | The target SSID must be enabled and set to Identity PSK without RADIUS |
| Addressing | External DHCP (bridged). Meraki access-point-assigned addressing (NAT mode) is not supported |
| Key length | Pre-shared key of 8 to 63 characters |
Network connectivity is summarized in Network Requirements.
For the RADIUS variant: Meraki firmware 30.6 or newer (Meraki RADIUS), a RadSec or IPsec transport, and, for Catalyst 9800, an IOS-XE release per Cisco’s EasyPSK deployment guidance. Per-group network attributes (for example the Cisco UDN attribute) are returned via the context’s attribute profiles.
6. Integrations and dependencies
Section titled “6. Integrations and dependencies”In the Meraki WPN variant, EasyPSK depends on the customer’s Cisco Meraki organization and its Dashboard, where it provisions and maintains keys and group policies. The RADIUS variant depends only on the wireless platform’s RADIUS configuration. Neither replaces the Cisco network, and no external identity provider is needed for per-unit keys. See Integrations.
7. Roles and responsibilities
Section titled “7. Roles and responsibilities”EasyPSK uses the platform role model. Administrators configure the context in the Administration Portal; residents and group leads carry out day-to-day tasks in the Self-Service Portal without reaching the Administration Portal or the Meraki Dashboard.
| Role | Surface | Capabilities |
|---|---|---|
| Organization / EasyPSK administrator | Administration Portal | Configure the integration and manage units and keys across the context |
| Group administrator | Self-Service Portal | Manage their own unit: rotate the key, manage devices, manage the unit’s self-service users |
| User (default) | Self-Service Portal | View the SSID, reveal the key, scan the QR code, view connected devices |
See Roles and Administration Levels.
8. Licensing and activation
Section titled “8. Licensing and activation”EasyPSK is licensed by variant, on top of the platform delivery license (Global Cloud or Nordic Sovereign Cloud). Meraki WPN is the EasyPSK module plus AP licenses; an access-point license already held for Sign In can be reused for EasyPSK on a separate SSID. EasyPSK via RADIUS is the module plus Unit licenses, where a Unit is a group of up to 30 devices and the per-Unit price drops as the count grows. Because EasyPSK via RADIUS runs as the EntryPoint 2.0 (EasyPSK) context, it can instead be licensed from the shared EntryPoint endpoint pool (alongside 802.1X, iPSK and MAB), with no separate EasyPSK module. Authoritative product codes and terms are on the EasyPSK License page; the model is summarized in Licensing and Service Levels. Licenses are sold through authorized partners.
9. Security, logging, and data protection
Section titled “9. Security, logging, and data protection”Units are isolated from one another at the wireless layer. Every administrative change is recorded in the audit log with timestamp, actor, action, and before and after values, and secrets such as API keys and pre-shared keys are redacted. Data retention is configurable by the customer. Platform-wide protections, including encryption and tenant isolation, are described in Security and Data Protection and Logging, Reporting, and Retention.
10. Limitations and exclusions
Section titled “10. Limitations and exclusions”- EasyPSK integrates with Cisco wireless: Meraki (Dashboard API or RADIUS) and Catalyst 9800 (RADIUS).
- On Meraki, the SSID must use external DHCP (bridged); Meraki NAT mode is not supported.
- In the Meraki WPN variant, key count is bounded by Meraki’s limit for Identity PSK without RADIUS (up to 5,000 keys per Meraki network). The RADIUS variant removes this bound and scales horizontally past 100,000 keys.
11. Related services
Section titled “11. Related services”- EntryPoint provides RADIUS-as-a-Service, including group-level Identity PSK for IoT fleets. EasyPSK is for per-unit residential keys; EntryPoint iPSK is for group-based keys served over RADIUS. Choose EntryPoint when keys are organized by device class or group rather than by unit.
- Endpoint Manager for Cisco ISE delegates administration of endpoints in an existing Cisco ISE deployment. It is not a per-unit Wi-Fi key tool.
12. When to use, and when not to use
Section titled “12. When to use, and when not to use”Use EasyPSK when you operate a shared-space or residential venue on Cisco Meraki and want a private, per-unit Wi-Fi network with self-service, without managing hardware or credentials per unit. Do not use EasyPSK when you need group-based or IoT authentication served over RADIUS (use EntryPoint), or when you need to delegate administration of endpoints in an existing Cisco ISE deployment (use Endpoint Manager).