Authentication

Identity PSK (iPSK)

Identity PSK combines MAC-based device identification with unique per-device passphrases. Perfect for IoT devices, headless systems, and environments requiring device-level authentication without 802.1X complexity.

Overview

iPSK (Identity Pre-Shared Key) provides the security of unique credentials for each device while maintaining the simplicity of PSK-based Wi-Fi. Each device is identified by its MAC address and assigned a unique passphrase.

Traditional PSK

  • Single password for all devices
  • Cannot identify individual devices
  • Changing password affects everyone
  • No per-device policies

iPSK

  • Unique password per device
  • MAC-based identification
  • Revoke single device instantly
  • Per-device VLAN and policies

Use Cases

IoT Devices

Smart sensors, cameras, and automation devices that can't support 802.1X.

Printers & Displays

Network printers, digital signage, and presentation systems.

Shared Devices

Tablets, kiosks, and shared workstations in public areas.

Entertainment

Smart TVs, media players, and conference room equipment.

How It Works

1. Device Connects

Device connects to SSID with its configured passphrase

2. MAC Authentication

Controller sends MAC address to NetKey RADIUS

3. Endpoint Lookup

NetKey finds endpoint and retrieves its PSK

4. PSK Response

NetKey returns the device-specific PSK to controller

5. 4-Way Handshake

Controller validates device's PSK using the returned key

Vendor-Specific Attributes

NetKey returns the PSK using the appropriate vendor-specific attribute:
Cisco-AVPair = "psk=..." for Cisco
Aruba-MPSK-Passphrase for Aruba

Endpoint Groups

Organize devices into groups that share common settings like PSK, VLAN, and policies. This simplifies management for similar device types.

Creating an Endpoint Group

1

Navigate to Settings → Endpoint Groups

Click Add Group

2

Configure group settings:

Name Descriptive name (e.g., "IoT Sensors", "Printers")
PSK Shared passphrase for all devices in group
VLAN VLAN ID for devices in this group
Description Notes about the group purpose

Group Hierarchy

Priority 
1. Endpoint-specific PSK (if set)
   ↓ fallback to
2. Endpoint Group PSK
   ↓ fallback to
3. Reject (no matching endpoint)

Adding Endpoints

Single Endpoint (GUI)

1

Navigate to Endpoints

Click Add Endpoint

2

Enter endpoint details:

MAC Address Device MAC (e.g., AA:BB:CC:DD:EE:FF)
Name Descriptive name (e.g., "Sensor - Room 101")
Group Endpoint group membership
PSK Override group PSK (optional)
Description Notes, location, model info

Bulk Import (CSV)

Import many endpoints at once using CSV format:

CSV Format 
mac_address,name,group_name,description
AA:BB:CC:DD:EE:01,Printer Floor 1,Printers,HP LaserJet
AA:BB:CC:DD:EE:02,Printer Floor 2,Printers,HP LaserJet
AA:BB:CC:DD:EE:03,Camera Lobby,Security Cameras,Axis P3245
AA:BB:CC:DD:EE:04,Camera Parking,Security Cameras,Axis P3245

To import:

  1. Go to Endpoints
  2. Click Import
  3. Select your CSV file
  4. Map columns to fields
  5. Click Import

Via API

cURL 
curl -X POST "https://api.netkey.no/v1/endpoints" \
  -H "X-API-Key: nk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "mac_address": "AA:BB:CC:DD:EE:FF",
    "name": "Conference Room Display",
    "endpoint_group_id": 5,
    "description": "Samsung 65\" Display"
  }'

MAC Address Formats

Wireless controllers send MAC addresses in different formats. Configure NetKey to match your controller's format.

Format Example Common Vendors
Colon uppercase AA:BB:CC:DD:EE:FF Cisco IOS-XE, Aruba
Colon lowercase aa:bb:cc:dd:ee:ff Linux-based systems
Hyphen uppercase AA-BB-CC-DD-EE-FF Windows, some controllers
No delimiter AABBCCDDEEFF Cisco AireOS
Cisco format aabb.ccdd.eeff Cisco CLI display

Configuration

Set the MAC format in Group Settings → RADIUS → MAC Format

Auto-Normalization

NetKey automatically normalizes MAC addresses when adding endpoints. You can enter MACs in any format and they'll be stored consistently.

VLAN Assignment

Assign devices to VLANs based on their endpoint group or individual settings.

VLAN Priority

  1. Endpoint-specific VLAN - If set on the endpoint
  2. Endpoint Group VLAN - If set on the group
  3. Default VLAN - Controller's default for the WLAN

Example Segmentation

Endpoint Group VLAN Purpose
Security Cameras 50 Isolated camera network
IoT Sensors 60 Building automation
Printers 70 Print services VLAN
Conference Equipment 80 A/V and presentation

Controller Configuration

Enable MAC authentication on your wireless controller to use iPSK.

Cisco WLC 9800

CLI 
! Enable MAC filtering on WLAN
wlan ipsk-network
 mac-filtering netkey-mac-list
 security wpa psk set-key ascii 0 placeholder123
 no security wpa akm dot1x
 security wpa akm psk
!

Aruba Controller

CLI 
aaa profile "ipsk-aaa-profile"
    initial-role "authenticated"
    authentication-mac
    mac-server-group "netkey-server-group"
!

See Integration Guides for complete vendor-specific instructions.

Disable Fast Transition (802.11r)

Fast Transition must be disabled on iPSK SSIDs. FT pre-caches the PMK for fast roaming, but with unique PSKs per device, the target AP cannot know which PMK to use. Standard roaming still works well without FT.

Security Considerations

MAC Spoofing

MAC addresses can be spoofed. iPSK should not be used as the sole security mechanism for highly sensitive networks. Combine with network segmentation, firewalls, and monitoring.

Mitigations

  • Use unique PSKs per group - Limit exposure if one PSK is compromised
  • Segment by VLAN - Isolate device types from each other
  • Monitor for anomalies - Track connection patterns in Auth Logs
  • Rotate PSKs periodically - Change group PSKs on a schedule
  • Limit to IoT devices - Use 802.1X for user devices when possible

When to Use 802.1X Instead

  • Devices support EAP authentication
  • Managed devices with MDM/certificates
  • User devices requiring identity-based access
  • High-security environments

Troubleshooting

  • Check MAC address is registered in Endpoints
  • Verify MAC format matches controller format
  • Check endpoint is enabled
  • Verify endpoint group has PSK configured
  • Check Auth Logs for RADIUS requests
  • Verify MAC filtering is enabled on WLAN
  • Check RADIUS server is configured on controller
  • Verify network connectivity to RADIUS server
  • Check firewall allows UDP 1812/1813
  • Verify endpoint exists and has PSK (or group has PSK)
  • Check vendor-specific attributes are enabled
  • Verify controller supports iPSK attribute
  • Check Auth Logs for the RADIUS response
  • Check endpoint-specific VLAN setting
  • Check endpoint group VLAN setting
  • Verify AAA Override is enabled on controller
  • Ensure VLAN exists on controller