There will often be a need to onboard clients/devices that don’t support eat-tls or similar 802.1x authenticatios methods. This could be scanners, POS’s, Solar panels or typically IoT devices. To have these devices associated to the Wireless Network, often PSK is used. The iisue is that PSK is shared among devices and can easily be compoimised. A way to have these devices onboarded in a more secure manner, is to use iPSK (This is the Cisco way with ISE/NPS. Other vendors have similar solutions). The diagram below shows the general flow of traffic when using iPSK to authenticate against a Cisco ISE server.

1. Clients authenticates and associates to WLAN
2. Upon authetication/association AP sends Radius MAB request to ISE
   • This can alsp be profiling in ISE
3. ISE processes MAB/Profiling through Policy Sets
4. ISE responds back with PSK
5. AP and client complete 4-way handshake

Here are som usecases where i have implemented iPSK:

• A large number of devices like: internet radios, Televisions, Fitness equipment etc. In ISE a group have been made for different type of equipment. Every group have a uniq PSK and send out a VLAN attribute. When provided with MAC and equipment type this is configured in ISE. Afterwards device can be onboarded with PSK for group and will be onborded into correct vlan.
• Retail with shop in shops, using existing Wireless Infrastructure with provided PSK (That is configured in a group Policy’s in ISE) and terminated to a public vlan.

There has been a iPSK manager project on github. Unfortunately this is not updated anymore. Hopefully Cisco will integrate similar features in ISE…in future