Cisco

Cisco AireOS WLC Integration

Configure your Cisco AireOS-based Wireless LAN Controller to authenticate users with NetKey using RADIUS for EasyPSK and iPSK authentication.

AireOS Version

This guide applies to Cisco WLCs running AireOS 8.5 and later, including 2504, 3504, 5508, 5520, 8510, 8540, and vWLC platforms.

Prerequisites

  • Cisco WLC running AireOS 8.5 or later
  • Network connectivity between WLC and NetKey RADIUS server
  • Administrative access to WLC
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your WLC.

GUI Configuration

Follow these steps using the WLC web interface.

Step 1: Add RADIUS Authentication Server

1

Navigate to SECURITY → AAA → RADIUS → Authentication

Click New... to add a new server.

2

Configure the RADIUS server settings:

Server IP Address your-radius-server
Shared Secret Format ASCII
Shared Secret Your NetKey Group RADIUS secret
Port Number 1812
Server Status Enabled
Support for CoA Enabled

Click Apply to save.

Step 2: Add RADIUS Accounting Server

3

Navigate to SECURITY → AAA → RADIUS → Accounting

Click New... and configure:

Server IP Address your-radius-server
Shared Secret Same as authentication
Port Number 1813
Server Status Enabled

Step 3: Create WLAN for EasyPSK

4

Navigate to WLANs and click Create New → WLAN

Configure General settings:

Profile Name Corporate-PSK
SSID Corporate-PSK
Status Enabled
Interface/Group Your dynamic interface
5

Click the Security tab and configure Layer 2 Security:

Layer 2 Security WPA+WPA2
WPA2 Policy Enabled
WPA2 Encryption AES (CCMP)
Auth Key Mgmt PSK

Set a PSK Format to ASCII and enter a placeholder PSK (e.g., placeholder123).

6

Still on the Security tab, go to AAA Servers:

Authentication Servers Select your NetKey RADIUS server
Accounting Servers Select your NetKey RADIUS server
7

Go to Advanced tab and enable:

Allow AAA Override Enabled
NAC State RADIUS NAC (optional)

AAA Override allows NetKey to push VLAN assignments dynamically.

8

Click Apply and then Save Configuration at the top.

CLI Configuration

Alternatively, use CLI commands via SSH or console.

Configure RADIUS Server

CLI 
! Add RADIUS authentication server
config radius auth add 1 your-radius-server 1812 ascii YourSecretHere

! Add RADIUS accounting server
config radius acct add 1 your-radius-server 1813 ascii YourSecretHere

! Enable RADIUS server
config radius auth enable 1
config radius acct enable 1

! Enable Change of Authorization (CoA)
config radius auth rfc3576 enable 1

Create WLAN

CLI 
! Create WLAN with ID 1
config wlan create 1 Corporate-PSK Corporate-PSK

! Set security to WPA2-PSK
config wlan security wpa akm psk enable 1
config wlan security wpa wpa2 ciphers aes enable 1

! Set placeholder PSK
config wlan security wpa akm psk set-key ascii placeholder123 1

! Assign RADIUS servers
config wlan radius_server auth add 1 1
config wlan radius_server acct add 1 1

! Enable AAA override for dynamic VLAN
config wlan aaa-override enable 1

! Enable the WLAN
config wlan enable 1

! Save configuration
save config

iPSK Configuration

For Identity PSK (iPSK) authentication using MAC address, configure MAC filtering.

Enable MAC Filtering via GUI

1

Navigate to WLANs and select your WLAN.

Go to Security → Layer 2 and enable MAC Filtering.

2

On the Security → AAA Servers tab:

MAC Filtering Enabled
Authorization List Type RADIUS
RADIUS Server Your NetKey server

Enable MAC Filtering via CLI

CLI 
! Enable MAC filtering on WLAN 1
config wlan mac-filtering enable 1

! Configure MAC delimiter (format sent to RADIUS)
config macfilter mac-delimiter colon

! Save configuration
save config
MAC Address Format

Configure the MAC delimiter to match your NetKey group settings. Common formats: colon (AA:BB:CC:DD:EE:FF), hyphen (AA-BB-CC-DD-EE-FF), or none (AABBCCDDEEFF).

Dynamic VLAN Assignment

NetKey can dynamically assign VLANs based on PSK or endpoint group.

Create Dynamic Interfaces

First, ensure you have interfaces for each VLAN on your WLC.

1

Navigate to CONTROLLER → Interfaces

Click New... and configure:

Interface Name guest-vlan100
VLAN ID 100
Port Number 1
IP Address Interface IP in VLAN
Gateway Default gateway for VLAN

Interface Group (Optional)

Create an interface group containing all VLANs that NetKey may assign:

CLI 
! Create interface group
config interface group create netkey-vlans

! Add interfaces to group
config interface group interface add netkey-vlans guest-vlan100
config interface group interface add netkey-vlans employee-vlan200
config interface group interface add netkey-vlans contractor-vlan300

! Assign group to WLAN
config wlan interface 1 netkey-vlans

! Save configuration
save config
VLAN Assignment Working

When AAA Override is enabled, NetKey's RADIUS response containing Tunnel-Private-Group-ID will dynamically assign the client to the appropriate VLAN.

Verification & Testing

Check RADIUS Server Status

CLI 
show radius summary
show radius auth statistics

Example Output

Output 
Vendor Id Backward Compatibility................. Disabled
Call Station Id Type............................. IP Address
Administrative Authentication via RADIUS........ Enabled
Keywrap.......................................... Disabled
Authentication Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576
---  ----  ----------------  ------  --------  ----  -------
1    N     your-radius-server    1812    Enabled   2     Enabled

Monitor Client Connections

CLI 
! Show client summary
show client summary

! Show detailed client info (replace MAC)
show client detail aa:bb:cc:dd:ee:ff

Debug RADIUS (Troubleshooting)

CLI 
! Enable debugging
debug aaa all enable
debug client aa:bb:cc:dd:ee:ff

! Disable debugging when done
debug disable-all
Debug Mode

Debug commands generate significant output. Always disable debugging after troubleshooting to avoid performance impact.

Troubleshooting

  • Verify network connectivity: ping your-radius-server
  • Check firewall rules allow UDP 1812/1813
  • Ensure RADIUS secret matches exactly (case-sensitive)
  • Re-enable server: config radius auth enable 1
  • Check NetKey logs for authentication attempts
  • Verify PSK exists and is enabled in NetKey
  • For iPSK: Verify MAC address is registered
  • Enable debug: debug aaa all enable
  • Check WLAN status: show wlan summary
  • Verify AAA Override is enabled on WLAN
  • Ensure interface exists for target VLAN
  • Check client details: show client detail [mac]
  • Verify VLAN ID matches exactly in NetKey
  • Verify MAC delimiter matches NetKey: show macfilter
  • Common formats: colon, hyphen, none
  • Change delimiter: config macfilter mac-delimiter colon
  • Verify MAC is uppercase in NetKey