Skip to content
Cisco iPSK

Groups & devices

An iPSK context holds the groups, keys, and registered devices for one Identity PSK service. Each group has its own pre-shared key and network policy; devices are registered to a group and inherit that group’s key and segmentation.

A context defines how devices are registered and how the RADIUS service is reached. A context’s name must match the SSID exactly — that is how the platform selects the right context when a request arrives.

  • Default group — an optional fallback group with its own pre-shared key. An unregistered device can connect with the default key and is redirected to a captive portal to register by email; once its email is matched to a group, it moves to that group.
  • Device registration can use a request-access form, self-registration by email, or an invitation code that places the device into the right group. The request form’s required fields (for example name, organization, device description) are configurable.
  • RADIUS access is restricted to permitted source ranges in CIDR notation; with no restriction the service is publicly reachable. The iPSK RADIUS client secret is shared across the organization’s Cisco iPSK contexts and managed in the context settings.
  • Change of Authorization (CoA) listeners can be defined — address, port, and secret — so the network can be told to re-evaluate a session.
  • Security group tags (SGT) can be enabled for the context with a minimum and maximum value, for downstream segmentation.

Each group carries:

  • A pre-shared key (PSK) used by its devices. Updating the key affects every user and registered device in the group, so the portal reports the impact before the change is applied.
  • An optional security group tag for segmentation, or none.
  • One or more Attribute Profiles that define the network attributes returned on connection — VLAN through tunnel attributes, or Cisco AV-pairs such as a security group tag. Profiles are defined once and reused across groups.

Devices in the same group can communicate; devices in different groups are isolated even on the same SSID. Isolation is enforced by a per-group tag the network applies:

  • On Cisco Meraki, EntryPoint returns a UDN (User-Defined Network) tag as a Cisco AV-pair — udn:private-group-id=<id>, with a unique numeric id per group. Without the UDN tag, devices are not isolated even when they use different keys.
  • On Cisco Catalyst, the WLC applies an iPSK tag for the same effect.

Registered devices are listed with their MAC address, IP address, the access point they are connected to, last-seen time, and status. Devices can be searched and filtered by MAC, description, or group, added individually, or registered in bulk by CSV — one row per device with the MAC address, the owner’s email, a description, and a device type (mobile, tablet, computer, sensor, smart_tv, speaker, ethernet, and so on), up to 1 MB. Because modern devices often present a randomized MAC, a stable hardware MAC is needed for reliable recognition. Each group also tracks its self-service users and the roles they hold.

An iPSK context can also authenticate wired devices through MAC Authentication Bypass: switch ports are pointed at the same RADIUS service, so wired and wireless devices are treated alike and receive the same policy. Wired MAB uses a single iPSK context.

Next