Skip to main content
iPSK for Cisco Networks — the EntryPoint 1.0 (IPSK) variant — serves Identity PSK as a RADIUS service directly to your Cisco WLAN controllers. Each EntryPoint Group holds one shared Pre-Shared Key used by every device in the Group. The WLAN controller asks EntryPoint for the PSK on every association; EntryPoint returns the Group’s current key, and the AP completes the WPA2 4-way handshake with the device on that key. The model shines for IoT fleets on Cisco Wi-Fi. Digital signage, cleaning robots, smart locks, lab sensors — each class of device gets its own Group, its own PSK, and (importantly) its own delegated admin from the team that actually owns the fleet. You keep a single view of all the Groups in one Context; each Group runs itself.

The core idea — distributed administration of IoT Groups

An iPSK deployment is a collection of Groups, each owned by the team or vendor that knows what belongs there. Network engineers rarely know whether a new cleaning robot is the right brand, the right firmware, or expected in the building today — facility services does. The signage technician knows whether a new display is the marketing agency’s replacement unit — marketing does. Each of these categories is a candidate for its own Group and its own Pre-Shared Key (PSK) Administrator:
  • Robot Cleaners — managed by a PSK Administrator from facility services.
  • Digital Signage — managed by a PSK Administrator from the marketing agency.
  • Smart Locks — managed by a PSK Administrator from the security contractor.
  • Lab Sensors — managed by a PSK Administrator from your R&D team.
Each admin sees only their own Group, adds and removes MAC addresses there, rotates their Group’s PSK as needed, optionally delegates to colleagues, and never logs in to your EntryPoint admin. You keep a single view of all Groups in the Context — who owns what, how many devices are in each, who has access to rotate the key — from the Admin Dashboard. Distributed administration is one shape. The same model also fits:
  • Per-vendor IoT inventories. The badge-reader vendor manages the badge Group; the HVAC vendor manages the HVAC Group.
  • Internal teams with their own roll-in schedules. The AV team owns the conference-room-sensor Group; the logistics team owns the warehouse-scanner Group.
  • Shared labs and test benches. Each lab team manages its own Group and lists its own test equipment.

How iPSK authentication works

1

A device associates to the Cisco SSID set up for iPSK

The SSID is WPA2-PSK (Enterprise MAB), configured to fetch the PSK from a RADIUS server.
2

The Cisco WLAN controller sends a RADIUS Access-Request

Carrying the device’s MAC as the username. Arrives at the EntryPoint Context’s RADIUS endpoint.
3

EntryPoint looks up the MAC

Finds the Group it belongs to, reads the Group’s shared PSK.
4

EntryPoint returns Access-Accept with the PSK

Plus the Group’s Attribute Profile (VLAN / SGT) on the RADIUS response.
5

The AP completes WPA2 with the device

Using the PSK EntryPoint returned. The device joins the SSID.
Every device in the same Group authenticates with the same PSK; a different Group, a different PSK.

What iPSK is NOT

  • Not a user-password flow. iPSK is a per-device-class shared PSK. If you need per-person credentials, use EAP-PEAP for contractors or EAP-TLS with Entra for managed-device fleets.
  • Not a Meraki-side tool. If your shared-SSID, per-unit PSK deployment is on Meraki — one apartment = one PSK, residents self-serve — look at EasyPSK for Cisco Networks. EasyPSK talks to the Meraki Dashboard API directly and writes Meraki-native Identity PSKs. iPSK (this variant) serves Cisco Catalyst and Meraki networks via RADIUS.
  • Not ISE’s iPSK. Cisco ISE can also serve iPSK. If your iPSK is already being served by your own Cisco ISE and you want to delegate the MAC-by-MAC administration of the Endpoint Identity Groups there, use Endpoint Manager for Cisco ISE — it layers managed administration on top of ISE. iPSK in EntryPoint (this variant) is for Organizations that want Netgraph to host the iPSK service itself.
  • Not a certificate authority. No PKI involvement; WPA2-PSK. For certificate auth see EAP-TLS.

Who operates iPSK

Three roles appear in an iPSK deployment. Each holds the scope they need and no more.
RoleScopeTypical actions
Organization administratorThe Organization and every Context inside it.Create the iPSK Context, attach network equipment (RADIUS clients), create the Groups, invite the first PSK Administrator per Group, review audits.
PSK Administrator (Self-Service)One Group in one Context.Rotate the Group’s shared PSK. Combine this with the default User role to also manage devices.
Self-Service User Administrator (Self-Service)One Group.Invite, modify, and revoke other Self-Service Users in the Group.
User (default) (Self-Service)One Group.View the Group’s shared PSK. Add, update, remove devices in the Group.
These are the exact labels the Self-Service portal shows. A single person can hold more than one role at once — the portal merges the sections for them. The common shape is one person per Group holding User + Self-Service User Administrator + PSK Administrator (a full delegate), with the rest of the team as plain User. See Self-Service portal & roles.

Prerequisites

  • An EntryPoint Context of type EntryPoint 1.0 (IPSK) — see Creating a Context.
  • A Cisco WLAN — typically Meraki with the iPSK-via-RADIUS feature, or a Cisco Catalyst 9800 controller with WPA2-PSK fetching the PSK via RADIUS.
  • Your Cisco network’s public RADIUS source IP(s) added to the Context’s Configure RADIUS Access Restrictions.
  • Change of Authorization (CoA) listeners configured on the Context if you want PSK rotations to kick devices off cleanly. See Groups and shared PSK.

Where to go next

Groups and shared PSK

One Group per device class; one shared PSK per Group.

Managing devices — bulk and single

Add MACs individually, bulk-import via CSV, retire at end-of-life.

Self-Service portal & roles

The delegated-admin surface; three roles, one per operational concern.

Attribute Profiles

VLAN / SGT per Group, returned on every iPSK Access-Accept.