Skip to content
Cisco iPSK

Cisco iPSK: Identity Pre-Shared Key over RADIUS

EntryPoint Cisco iPSK serves Identity Pre-Shared Keys over RADIUS. Instead of one network-wide password, each group of devices has its own pre-shared key, and the group’s network policy — including a Cisco security group tag — is returned on connection. It is the variant for IoT and device fleets on Cisco networks; for certificate- or password-based access, see the EAP variants.

At a glance

Credential
A per-group pre-shared key, served over RADIUS
Identity source
Local groups, with Cisco security group tags
Isolation
Per-group, via Cisco UDN tags (Meraki) or iPSK tags (Catalyst)
Best for
IoT and device fleets on Cisco networks
Requirements
Cisco Catalyst 9800 (IOS-XE 16.12+) or Cisco Meraki MR (firmware 30.6+)
Self-service
Delegated management of the group key and devices
Status
Available

A device connects with its group’s pre-shared key. The Cisco controller captures the device’s MAC address and the key and sends a RADIUS request to EntryPoint with the MAC and the SSID. EntryPoint looks the MAC up, returns the group’s pre-shared key and network policy — its Attribute Profile and, where configured, a security group tag — and the controller admits the device when the keys match, then assigns an address by DHCP.

A device whose MAC is not yet known can be handled by a default group: it connects with a fallback key and is redirected to a captive portal to register by email, after which it is moved to its own group and uses that group’s key from then on.

Because keys are issued per group rather than per unit, Cisco iPSK organises devices by class — a group for sensors, a group for handhelds, a group for a tenant — each with its own key and policy. Devices in the same group can communicate; different groups are isolated even on the same SSID (see Groups & devices).

Use Cisco iPSK for IoT and headless devices on Cisco networks that cannot run 802.1X but should still be segmented by group rather than sharing one flat network password. It supports Cisco Catalyst 9800 wireless and Cisco Meraki MR access points, and the same MAC-based mechanism can authenticate wired devices through MAC Authentication Bypass (MAB).

Cisco iPSK serves group keys over RADIUS, organised by device class. It is not the same as EasyPSK, which issues a key per unit for residential and shared-space venues. For certificate- or password-based 802.1X, use the EAP variants.

ItemRequirement
WirelessCisco Catalyst 9800 (IOS-XE 16.12 or later) or Cisco Meraki MR (firmware 30.6 or newer)
ConnectivityPersistent internet access to the cloud RADIUS service, or private connectivity over Service Connector
RADIUS clientA valid Message-Authenticator attribute on every authentication request
  • Groups & devices: contexts, groups, keys, isolation tags, and device registration.
  • Self-service: delegated device, user, and key management.

Next