Cisco Catalyst WLC (IOS-XE)

This is a Beta feature only for partners and customer with access to the Beta Program.

Check the official Cisco documentation to understand requireiments and limitations: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_epsk.html

Cisco Easy PSK is a new solution that leverages RADIUS authentication while overcoming the limitations of traditional MAC-based authentication. The RADIUS platform performs a user lookup by analyzing the EAPOL parameters included in the RADIUS request to identify potential user matches.

Cusna leveraged the Cisco UDN (User Defined Network) technology to create personal area network without requiring complex VLAN-based orchestrations.

Cisco WLC Setup

AAA Server

Click Configuration > Security > AAA on the left. Select the Servers / Groups tab and click Add. Configure with:

Name:

Cusna_Radius_1

IPv4 / IPv6 Server Address:

*insert radius_server_ip here*

Key Type:

0

Key:

*insert radius_secret here*

Confirm Key:

as above

Auth Port:

1812

Acct Port:

1813

Server Timeout:

10

Retry Count:

3

Support for CoA:

Enabled

Click Apply to Device to save. Next, click Add again and configure with:

Name

Cusna_Radius_2

IPv4 / IPv6 Server Address:

*insert radius_server2_ip here*

Key Type:

0

Key:

*insert radius_secret here*

Confirm Key:

as above

Auth Port:

1812

Acct Port:

1813

Server Timeout:

10

Retry Count:

3

Support for CoA:

Enabled

Click Apply to Device to save. On the Server Groups sub tab, click Add. Configure with:

Name

Cusna_Radius_Group

Group Type:

RADIUS

MAC-Delimiter:

hyphen

MAC-Filtering:

mac

Assigned Servers:

Cusna_Radius_1, Cusna_Radius_2,

Click Apply to Device to save. Next, click on the AAA Method List tab, Authentication sub nav menu. Click Add and configure with:

Method List Name

Cusna_AuthN

Type:

dot1x

Group Type:

group

Assigned Server Groups:

Cusna_Radius

Click Apply to Device to save. Next, click the Authorization sub nav menu on the left and click Add. Configure with:

Method List Name

Cusna_AuthZ

Type:

network

Assigned Server Groups:

Cusna_Radius

Click Apply to Device to save. Next, click the Accounting sub nav menu on the left and click Add. Configure with:

Method List Name

Cusna_Acct

Type:

identity

Assigned Server Groups:

Cusna_Radius

Click Apply to Device to save. Next, click the AAA Advanced tab and then the Show Advanced Settings >>> option. Configure both Accounting and Authentication with:

Call Station ID:

ap-macaddress-ssid

Call Station ID Case:

upper

MAC-Delimiter:

hyphen

Username Case:

lower

Username Delimiter:

none

Wireless AAA Policy

Click Configuration > Security > Wireless AAA Policy on the left. Click Add or edit an existing Wireless AAA Policy and configure with:

Setting
Value

Policy Name

Cusna_AAA_Policy

NAS-ID Option 1

AP MAC Address

NAS-ID Option 2

AP Site Tag

NAS-ID Option 3

SSID

WLANs

Click Configuration > Tags & Policies > WLANs on the left. Click Add or edit an existing WLAN and configure with:

On the General tab:

Setting
Value

Profile Name

Cusna Profile

SSID:

ResNet (or whatever you wish)

Status:

Enabled

Radio Policy:

All

Broadcast SSID:

Enabled

On the Security > Layer 2 tab:

Setting
Value

Layer 2 Security Mode:

WPA + WPA2

MAC Filtering:

Enabled

802.1x

Disabled

PSK

Enabled

Easy-PSK

Enabled

Authorization List

Cusna_AuthZ (Authorization List previously created)

Fast Transition

Disabled or Enabled (not Adaptive Enabled)

On the Security > AAA tab:

Authentication List

Cusna_AuthN (Authentication List previously created)

Policy

Click Configuration > Tags & Profiles > Policy on the left. Click Add, leaving all settings at default apart from the following:

On the General tab:

Setting
Value

Name:

Cusna_Policy

Status:

Enabled

On the Advanced tab:

WLAN Timeout

Session Timeout:

43200

Idle Timeout:

3600

AAA Policy

Allow AAA Override:

Enabled

Accounting List:

Cusna_Acct

Policy Name

User Defined (Private) Network

Status

Enabled

Drop Unicast

Disabled

Tags

Click Configuration > Tags & Profiles > Tags on the left. Click Add and configure with:

Setting
Value

Name:

Cusna_Tag

WLAN Profile:

Policy Profile:

Cusna setup

Cusna does not integrate directly with on-prem Cisco Catalyst 9800 WLCs.

  • Log in to your Cusna account and click Setting.

  • Expand the WiFi setup card, select Cisco WLC

  • Enter a Name for your WLC and click Save.

Creating Networks

Although Cusna does not integrates directly with the WLC via APIs, the Network artifact is used in Cusna to define the Home Network of each Account, for the use cases that require PAN orchestration.

The Network an Account is associated with, becomes the account "Home Network". Only when the user is connected to an Access Points of its Home Network, Cusna enforces the Account UDN.

The Network the user is connected form is detected by means of Site Tags. When you setup a Network you need to specify:

  • SSID Name: the PPSK generated for the user will work only on this SSID name

  • Site Tag: the Site Tag that can be used to match the authentication request with this Cusna Network.

PreviousCisco Meraki Easy PSKNextAruba - Unbound MPSK

Last updated

Was this helpful?