Cisco iPSK: Identity Pre-Shared Key over RADIUS
EntryPoint Cisco iPSK serves Identity Pre-Shared Keys over RADIUS. Instead of one network-wide password, each group of devices has its own pre-shared key, and the group’s network policy — including a Cisco security group tag — is returned on connection. It is the variant for IoT and device fleets on Cisco networks; for certificate- or password-based access, see the EAP variants.
At a glance
- Credential
- A per-group pre-shared key, served over RADIUS
- Identity source
- Local groups, with Cisco security group tags
- Isolation
- Per-group, via Cisco UDN tags (Meraki) or iPSK tags (Catalyst)
- Best for
- IoT and device fleets on Cisco networks
- Requirements
- Cisco Catalyst 9800 (IOS-XE 16.12+) or Cisco Meraki MR (firmware 30.6+)
- Self-service
- Delegated management of the group key and devices
- Status
- Available
How it works
Section titled “How it works”A device connects with its group’s pre-shared key. The Cisco controller captures the device’s MAC address and the key and sends a RADIUS request to EntryPoint with the MAC and the SSID. EntryPoint looks the MAC up, returns the group’s pre-shared key and network policy — its Attribute Profile and, where configured, a security group tag — and the controller admits the device when the keys match, then assigns an address by DHCP.
A device whose MAC is not yet known can be handled by a default group: it connects with a fallback key and is redirected to a captive portal to register by email, after which it is moved to its own group and uses that group’s key from then on.
Because keys are issued per group rather than per unit, Cisco iPSK organises devices by class — a group for sensors, a group for handhelds, a group for a tenant — each with its own key and policy. Devices in the same group can communicate; different groups are isolated even on the same SSID (see Groups & devices).
Who it is for
Section titled “Who it is for”Use Cisco iPSK for IoT and headless devices on Cisco networks that cannot run 802.1X but should still be segmented by group rather than sharing one flat network password. It supports Cisco Catalyst 9800 wireless and Cisco Meraki MR access points, and the same MAC-based mechanism can authenticate wired devices through MAC Authentication Bypass (MAB).
What it is not
Section titled “What it is not”Cisco iPSK serves group keys over RADIUS, organised by device class. It is not the same as EasyPSK, which issues a key per unit for residential and shared-space venues. For certificate- or password-based 802.1X, use the EAP variants.
Prerequisites
Section titled “Prerequisites”| Item | Requirement |
|---|---|
| Wireless | Cisco Catalyst 9800 (IOS-XE 16.12 or later) or Cisco Meraki MR (firmware 30.6 or newer) |
| Connectivity | Persistent internet access to the cloud RADIUS service, or private connectivity over Service Connector |
| RADIUS client | A valid Message-Authenticator attribute on every authentication request |
Where to go next
Section titled “Where to go next”- Groups & devices: contexts, groups, keys, isolation tags, and device registration.
- Self-service: delegated device, user, and key management.