This article will explain the personal pre-shared key (PSK) feature in Cisco Business Wireless (CBW) Access Point (AP) firmware version 10.6.1.0.
Applicable Devices | Software Version
If you have CBW gear in your network, you can now use the personal PSK feature in firmware version 10.6.1.0!
Personal PSK, also referred to as Individual PSK (iPSK), is a feature that allows an administrator to issue unique pre-shared keys to individual devices for the same Wi-Fi Protected Access II (WPA2) personal Wireless Local Area Network (WLAN). The unique PSK is tied to the MAC address of the device. This is not supported in WLANs where WPA3 policy is enabled.
This feature authenticates the client using a RADIUS Server. It is generally intended for use by IoT devices and company issued laptops and mobile devices.
Table of Contents
- Make sure you have upgraded the CBW AP firmware to 10.6.1.0. Click if you would like step-by-step instructions on doing a firmware update.
- You will require a RADIUS server where the personal PSK and the MAC address of the device need to be configured.
- This CBW feature is supported with three different RADIUS servers - FreeRADIUS, Microsoft’s NPS, and Cisco’s ISE. The configuration will vary depending on the RADIUS server used.
Configure CBW RADIUS Settings
To configure the RADIUS settings on the CBW AP, follow the steps.
Login to the web user interface (UI) of the CBW AP.
Click the bi-directional arrow symbol to switch to expert view.
Navigate to Management > Admin Accounts.
Select the RADIUS tab.
Click on Add RADIUS Authentication Server.
Configure the following:
- Server Index - Select 1 through 6
- Network User - Enable the state. By default, this is Enabled
- Management - Enable the state. By default, this is Enabled
- State - Enable the state. By default, this is Enabled
- CoA – Make sure charge of authority (CoA) is enabled.
- Server IP Address - Enter the IPv4 address of the RADIUS server
- Shared Secret - Enter the shared secret key
- Port Number - Enter the port number being used for communicating with the RADIUS server.
- Server Timeout - Enter the server timeout
Configure WLAN Settings
Create a WLAN as a standard WPA2 Personal Secured WLAN.
The pre-shared key will not be used for the personal PSK devices. This would only be used for devices that are NOT authenticated on the RADIUS server. You would need to add the MAC addresses of ANY device that will be connecting to this WLAN to the allow-list of this device.
Navigate to Wireless Settings > WLANs.
Click on Add new WLAN/RLAN.
Under General tab, enter a Profile Name for the WLAN.
Navigate to WLAN Security tab and enable MAC Filtering by sliding the toggle.
Click on Add RADIUS Authentication Server to add the RADIUS server that was configured in the previous section to provide authentication for this WLAN.
A pop-up window will appear. Enter the Server IP Address, State, and Port Number. Click Apply.
Enable Authentication Caching. When you enable this option, the following fields are displayed.
- User Cache Timeout - Specifies the time period at which the authenticated credential in the cache expires.
- User Cache Reuse - Use the credentials cache information before cache timeout. By default, this
If this feature is enabled, a client who has already been authenticated to this server will not be required to pass data to the RADIUS server when they re-connect to this WLAN within the next 24 hours.
Navigate to the Advanced tab. Enable Allow AAA Override by sliding the toggle.
The Advanced tab will be visible only if you are in Expert View.
Once you have configured the settings on your CBW AP and set up your RADIUS server, you should be able to connect your device. Enter the custom PSK configured for that MAC address, and it will join the network.
If you have configured authentication caching, you will be able to see the devices that have joined the WLAN by going to the Auth Cached Users tab under Admin Accounts. If needed, this can be deleted.
There you go! You can now enjoy the benefits of personal PSK feature on your CBW AP.