Groups & devices
An iPSK context holds the groups, keys, and registered devices for one Identity PSK service. Each group has its own pre-shared key and network policy; devices are registered to a group and inherit that group’s key and segmentation.
Context settings
Section titled “Context settings”A context defines how devices are registered and how the RADIUS service is reached. A context’s name must match the SSID exactly — that is how the platform selects the right context when a request arrives.
- Default group — an optional fallback group with its own pre-shared key. An unregistered device can connect with the default key and is redirected to a captive portal to register by email; once its email is matched to a group, it moves to that group.
- Device registration can use a request-access form, self-registration by email, or an invitation code that places the device into the right group. The request form’s required fields (for example name, organization, device description) are configurable.
- RADIUS access is restricted to permitted source ranges in CIDR notation; with no restriction the service is publicly reachable. The iPSK RADIUS client secret is shared across the organization’s Cisco iPSK contexts and managed in the context settings.
- Change of Authorization (CoA) listeners can be defined — address, port, and secret — so the network can be told to re-evaluate a session.
- Security group tags (SGT) can be enabled for the context with a minimum and maximum value, for downstream segmentation.
Groups, keys, and tags
Section titled “Groups, keys, and tags”Each group carries:
- A pre-shared key (PSK) used by its devices. Updating the key affects every user and registered device in the group, so the portal reports the impact before the change is applied.
- An optional security group tag for segmentation, or none.
- One or more Attribute Profiles that define the network attributes returned on connection — VLAN through tunnel attributes, or Cisco AV-pairs such as a security group tag. Profiles are defined once and reused across groups.
Client isolation
Section titled “Client isolation”Devices in the same group can communicate; devices in different groups are isolated even on the same SSID. Isolation is enforced by a per-group tag the network applies:
- On Cisco Meraki, EntryPoint returns a UDN (User-Defined Network) tag as a Cisco AV-pair —
udn:private-group-id=<id>, with a unique numeric id per group. Without the UDN tag, devices are not isolated even when they use different keys. - On Cisco Catalyst, the WLC applies an iPSK tag for the same effect.
Device management
Section titled “Device management”Registered devices are listed with their MAC address, IP address, the access point they are connected to, last-seen time, and status. Devices can be searched and filtered by MAC, description, or group, added individually, or registered in bulk by CSV — one row per device with the MAC address, the owner’s email, a description, and a device type (mobile, tablet, computer, sensor, smart_tv, speaker, ethernet, and so on), up to 1 MB. Because modern devices often present a randomized MAC, a stable hardware MAC is needed for reliable recognition. Each group also tracks its self-service users and the roles they hold.
Wired devices (MAB)
Section titled “Wired devices (MAB)”An iPSK context can also authenticate wired devices through MAC Authentication Bypass: switch ports are pointed at the same RADIUS service, so wired and wireless devices are treated alike and receive the same policy. Wired MAB uses a single iPSK context.
Related sections
Section titled “Related sections”- iPSK overview.
- Self-service: delegated management for end users.
- Authentication log and configuration audit logging.