View Categories

Configuration and Monitoring Guide

Introduction to RADIUS Service for Cisco Identity PSK Authentication (iPSK) #

Identity PSK (iPSK) allows devices to connect to a secure wireless network using individual Pre-Shared Keys, managed centrally via EntryPoint.
In this setup, devices must be registered in advance before they can connect, ensuring a secure and manageable environment.

In this guide, you will learn how to configure EntryPoint for Cisco iPSK, how to manage devices, users, and network settings, and how the optional self-registration flow works for non-pre-registered devices.

๐Ÿ”ง Step 1: Create a New iPSK Context #

To begin, navigate to the EntryPoint service and click Create Context. Choose EntryPoint 1.0 (iPSK) as the context type.

  • Important: The name of the context must match the SSID (WLAN ID) of the customer’s wireless network exactly.
    This is how the platform identifies which context is used during authentication based on the SSID attribute.

Fill in:

  • Name: (Must match the SSID)

  • Description: Briefly describe the purpose (e.g., “IoT devices at Branch X”)

  • Implementation: Choose iPSK

Creating a specific context ensures that all management and monitoring are scoped to that particular SSID.

๐Ÿ› ๏ธ Step 2: Configure the Basic Settings #

In the basic settings view:

  • Add COA listeners if you want Change of Authorization support (optional).

  • Define if you want to manage Security Group Tags (SGT) manually or automatically.

  • Set default member roles for self-service users (e.g., allowing them to manage their own devices).

You can also configure mail notifications for new device additions.

๐Ÿงฉ Step 3: Configure Default Group and PSK #


You can configure a Default Group:

  • Default PSK: Enter a fallback Pre-Shared Key (PSK) that will be returned if a device is not explicitly registered in any group.

  • Optional SCT (Security Group Tag): Assign if needed.

This ensures that even unregistered devices can initially connect and be redirected to a Captive Portal for registration.

๐Ÿ‘ฅ Step 4: Manage Users and Self-Service Options #

You have two options for user management:

  1. Manual device registration

    • Admins can manually register devices by MAC address and assign them to groups.

  2. Self-Service Portal for Users

    • Invite users manually via email, giving them rights to register their own devices.

    • Users can then log into the portal, register their device MAC addresses, and manage PSKs.

    • Note: Self-Service Users become important primarily if Self-Service registration is enabled.

Self-Service Options:

  • Request Access Form: Optional. If enabled, users can request access via a simple web form, triggering an approval and registration process.

  • Auto-Device Enrollment: If the user email is verified, the device is automatically added to the group without manual intervention.

โš™๏ธ Step 5: Add Attribute Profiles #

Attribute Profiles allow you to attach additional RADIUS attributes like VLAN assignments or Cisco AV-Pair settings.

When creating an Attribute Profile:

  • Define the attribute type: for example, VLAN ID or Cisco-specific attributes.

  • Example: Tunnel-Private-Group-ID to assign VLAN 200 to a group.

  • You can then associate these profiles with either the default group or specific device groups.

This is crucial for dynamically steering devices into appropriate VLANs or applying policy settings.

๐ŸŒ Step 6: Network Integration #

In the Network Integration view, you configure:

  • Radius Hostname, Authentication Port, Accounting Port

  • RADIUS Client Secret (shared key for NAS devices).

  • IP Access Restrictions: Define which internal IP ranges are allowed to send authentication requests.

This ensures secure communication between your WLAN controller (e.g., Cisco WLC) and EntryPoint.

 

๐Ÿ“Š Monitoring and Statistics #

After the configuration is complete, itโ€™s crucial to monitor and manage your EntryPoint iPSK environment to ensure reliability and performance.

๐Ÿ”ข Overview Statistics #

The EntryPoint dashboard provides a quick overview of:

  • Number of configured groups (can be multiple for iPSK contexts).

  • Total number of registered devices.

  • Number of devices currently online.

This high-level summary allows you to easily monitor the load and usage of your iPSK context.

๐Ÿ“ˆ Detailed Device Monitoring #

Through the Devices view, you can drill down into each registered device, where you can see:

  • Device MAC Address

  • Description

  • Associated Group

  • Connected Access Point

  • IP Address

  • Connection Type

  • Who added the device

  • First and last seen timestamps

This level of visibility simplifies troubleshooting, auditing device registration, and ensuring that devices are correctly assigned.

๐Ÿ‘ฅ Self-Service Users View #

If Self-Service users are enabled, you can also monitor:

  • Which users have access to manage devices.

  • How many devices each user manages.

  • Self-Service permissions per user.

Useful for environments where decentralized device management is allowed via the Self-Service portal.

โš™๏ธ Context Management #

Under Context Configuration, you can update:

  • Context name and description

  • Default Pre-Shared Key (PSK) and security policies

  • Default attribute profiles

  • Radius client secret

  • IP access restrictions

This ensures that your iPSK context stays up-to-date with changing security and operational needs.

๐Ÿ“ Summary #

EntryPoint 1.0 for Cisco iPSK is a powerful way to manage IoT and BYOD environments where device registration must be tightly controlled.
By using identity-based PSKs, flexible self-service portals, and automated onboarding options (like Auto Device Enrollment), organizations can ensure that only authorized devices connect securely to the network.

Advanced features like RadSec and attribute-based VLAN steering enable a fully enterprise-grade, scalable solution for wireless authentication.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.