Multi-Preshared Key

Multi-preshared key

A multi-preshared key (multi-PSK) is a wireless security feature that

Allows multiple pre-shared keys (PSKs) to be configured for a single SSID
Enables any configured PSK to grant access to the same wireless network
Improves network flexibility by supporting concurrent user groups or devices with different credentials.

PSK: A pre-shared key is a password or passphrase used to authenticate clients on a wireless network.

Supporting analogy: keycards to the same door

Having multi-PSk keys for a single SSID is like giving different colored keycards to various teams. Each keycard opens the same door, but you can manage which card goes to which team. This approach increases flexibility and security compared to using one generic key.

Comparing traditional PSK with

In a traditional PSK, all the clients joining the network use the same password as shown in the figure.

But with multi-PSK, client can use any of the configured pre-shared keys to connect to the network as shown in the figure.

In the Multi-PSK example, two passwords—deadbeef and beefdead—are configured for the same SSIDIn this scenario, clients can connect to the network using either of the passwords.

Note

Multi-PSK is different from iPSK. In iPSK, the PSK password comes from ISE authorization policy, so MAB is required. Multi-PSK uses a pool of passwords locally configured in WLAN, so Identity Service Engine is not used.


Feature	Traditional PSK	Multi-PSK	Identity PSK (iPSK)
Number of PSKs per SSID	One shared key	Multiple keys (up to five)	Unique key per user or per group
Use case flexibility	All users share one credential	Separate keys for groups or devices	Per-user or per-group credentials for high granularity
Example	All staff share same key	Staff, guests, IoT devices have different keys	Each staff member, contractor, or device gets its own key
Key management	Single change affects all users	Changes can target specific groups or devices	Changes can target specific users or devices; policy-driven from ISE
Security granularity	Lowest — one compromise affects all	Better — compromise isolated to that PSK group	Highest — compromise isolated to individual user or device and fully policy-based

Restrictions

In central authentication flex mode, the standalone AP allows client join with the highest priority PSK (priority 0 key). New clients that do not use the highest priority PSK are rejected during the standalone mode.
Multi-PSK does not support local authentication.

Configure a multi-preshared key (GUI)

Configure a WLAN to use a multi-PSK through the controller's GUI.

Before you begin

Know the required security settings such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), PSK, and so on for your WLAN.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

On the Wireless Networks page, click the name of the WLAN.

Step 3

In the Edit WLAN window, click the Security tab.

Step 4

In the Layer2 tab, choose the Layer2 Security Mode from the options:

None: No Layer 2 security
802.1X: WEP 802.1X data encryption type
WPA + WPA2: Wi-Fi Protected Access
Static WEP: Static WEP encryption parameters
Static WEP+802.1X: Both Static WEP and 802.1X parameters


Parameters	Description
802.1X
WEP Key Size	Choose the key size. The available values are: None 40 bits 104 bits
WPA + WPA2
Protected Management Frame	Possible values are: Disabled Optional Required
WPA Policy	Check the check box to enable WPA policy.
WPA Encryption	Choose the WPA encryption standard. A WPA encryption standard must be specified if you have enabled WPA policy.
WPA2 Policy	Check the check box to enable WPA2 policy.
WPA2 Encryption	Choose the WPA2 encryption standard. A WPA encryption standard must be specified if you have enabled WPA policy.
Auth Key Mgmt	Possible rekeying mechanism options: 802.1X FT + 802.1X PSK: You must specify the PSK format and a preshared key Cisco Centralized Key Management: You must specify a Cisco Centralized Key Management Timestamp Tolerance value 802.1X + Cisco Centralized Key Management: You must specify a Cisco Centralized Key Management Timestamp Tolerance value FT + 802.1X + Cisco Centralized Key Management: You must specify a Cisco Centralized Key Management Timestamp Tolerance value
Static WEP
Key Size	Possible key size options: 40 bits 104 bits
Key Index	Choose a key index from 1 to 4. One unique WEP key index can be applied to each WLAN. As there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer2 encryption.
Key Format	Choose the encryption key format as either ASCII or HEX.
Encryption Key	Enter an encryption key that is 13 characters long.
Static WEP + 802.1X
Key Size	Possible key size options: 40 bits 104 bits
Key Index	Choose a key index from 1 to 4. One unique WEP key index can be applied to each WLAN. As there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer2 encryption.
Key Format	Choose the encryption key format as either ASCII or HEX.
Encryption Key	Enter an encryption key that is 13 characters long.
WEP Key Size	Choose from the WEP key sizes: None 40 bits 104 bits

Step 5

Click Save & Apply to Device.

The WLAN is updated with the selected multi-PSK security settings.

Configure a multi-preshared key (CLI)

Configure a WLAN to use a multi-PSK through the controller's CLI.

Before you begin

Know the required security settings (WEP, WPA, PSK, and so on.) for your WLAN.

Procedure

Command or Action Purpose

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure WLAN and SSID.

Example:

Device(config)# wlan mywlan 1 SSID_name

Step 3

Disable security AKM for dot1x.

Example:

Device(config-wlan)# no security wpa akm
                        dot1x

Step 4

Configure PSK.

Example:

Device(config-wlan)# security wpa akm psk

Step 5

Configure multi-PSK.

Example:

Device(config-wlan)# security wpa wpa2 mpsk

Step 6

Configure PSK priority and all its related passwords using the priority priority_value set-key {ascii [0 | 8] pre-shared-key | hex [0 | 8] pre-shared-key} command.

Example:

Device(config-mpsk)# priority 0 set-key ascii 0 deadbeef

The priority_value ranges from 0 to 4.

Note

You need to configure priority 0 key for multi-PSK.

Step 7

Enable WLAN.

Example:

Device(config-mpsk)# no shutdown

Step 8

Exit WLAN configuration mode and returns to configuration mode.

Example:

Device(config-wlan)# exit

Step 9

Return to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Example:

Device(config)# end

The WLAN is updated with the selected multi-PSK security settings.

Verify multi-PSK configurations

To verify the configuration of a WLAN and a client, use the following command:

Device# show wlan id 8
WLAN Profile Name     : wlan_8
================================================
Identifier                                     : 8
Network Name (SSID)                            : ssid_8
Status                                         : Enabled
Broadcast SSID                                 : Enabled
Universal AP Admin                             : Disabled
Max Associated Clients per WLAN                : 0
Max Associated Clients per AP per WLAN         : 0
Max Associated Clients per AP Radio per WLAN   : 200
Number of Active Clients                       : 0
CHD per WLAN                                   : Enabled
Multicast Interface                            : Unconfigured
WMM                                            : Allowed
WifiDirect                                     : Invalid
Channel Scan Defer Priority:
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Diagnostics Channel Capability           : Disabled
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : All
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Mac Filter Override Authorization list name    : Disabled
Accounting list name                           : 
802.1x authentication list name                : Disabled
802.1x authorization list name                 : Disabled
Security  
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2/WPA3)     : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Enabled
            MPSK                               : Enabled
            AES Cipher                         : Enabled
            CCMP256 Cipher                     : Disabled
            GCMP128 Cipher                     : Disabled
            GCMP256 Cipher                     : Disabled
        WPA3 (WPA3 IE)                         : Disabled
        Auth Key Management
            802.1x                             : Disabled
            PSK                                : Enabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            FT SAE                             : Disabled
            PMF dot1x                          : Disabled
            PMF PSK                            : Disabled
            SAE                                : Disabled
            OWE                                : Disabled
            SUITEB-1X                          : Disabled
            SUITEB192-1X                       : Disabled
    CCKM TSF Tolerance                         : 1000
    FT Support                                 : Adaptive
        FT Reassociation Timeout               : 20
        FT Over-The-DS mode                    : Enabled
    PMF Support                                : Disabled
        PMF Association Comeback Timeout       : 1
        PMF SA Query Time                      : 200
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Authorization List Name            : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Non Cisco WGB                                  : Disabled
Band Select                                    : Enabled
Load Balancing                                 : Disabled
Multicast Buffer                               : Disabled
Multicast Buffer Size                          : 0
IP Source Guard                                : Disabled
Assisted-Roaming
    Neighbor List                              : Disabled
    Prediction List                            : Disabled
    Dual Band Support                          : Disabled
IEEE 802.11v parameters
    Directed Multicast Service                 : Disabled
    BSS Max Idle                               : Disabled
        Protected Mode                         : Disabled
    Traffic Filtering Service                  : Disabled
    BSS Transition                             : Enabled
        Disassociation Imminent                : Disabled
            Optimised Roaming Timer            : 40
            Timer                              : 200
    WNM Sleep Mode                             : Disabled
802.11ac MU-MIMO                               : Disabled
802.11ax paramters
    OFDMA Downlink                             : unknown
    OFDMA Uplink                               : unknown
    MU-MIMO Downlink                           : unknown
    MU-MIMO Uplink                             : unknown
    BSS Color                                  : unknown
    Partial BSS Color                          : unknown
    BSS Color Code                             :

To view the WLAN details, use the following command:

Device# show run wlan
wlan wlan_8 8 ssid_8
 security wpa psk set-key ascii 0 deadbeef
 no security wpa akm dot1x
 security wpa akm psk
 security wpa wpa2 mpsk
  priority 0 set-key ascii 0 deadbeef
  priority 1 set-key ascii 0 deaddead
  priority 2 set-key ascii 0 d123d123
  priority 3 set-key hex 0 0234567890123456789012345678901234567890123456789012345678901234
  priority 4 set-key hex 0 1234567890123456789012345678901234567890123456789012345678901234
 no shutdown

Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.2.x

Bias-Free Language

Book Title

Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Amsterdam 17.2.x

Chapter Title