Cisco Catalyst 9800 WLC
Step-by-step guide to configure Cisco Catalyst 9800 Series Wireless LAN Controller for NetKey RADIUS authentication including EasyPSK, iPSK, and 802.1X.
Prerequisites
- Cisco Catalyst 9800 WLC running IOS-XE 17.3 or later
- Administrative access to the WLC (GUI or CLI)
- Network connectivity to your NetKey RADIUS server
- NetKey RADIUS shared secret (from dashboard)
Log in to app.netkey.no → Settings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your WLC.
Configuration via Web GUI
Step 1: Add RADIUS Server
Navigate to RADIUS Configuration
Go to Configuration → Security → AAA → Servers / Groups → RADIUS → Servers
Add New Server
Click + Add and enter the following:
Configure Advanced Settings
Under Advanced Settings:
- Support for CoA: Enabled
- Timeout: 5 seconds
- Retransmit: 3
Step 2: Create Server Group
Navigate to Server Groups
Go to Configuration → Security → AAA → Servers / Groups → RADIUS → Server Groups
Create New Group
Click + Add and configure:
Add Server to Group
In the Assigned Servers section, add NETKEY-RADIUS to the group.
Step 3: Create AAA Method List
Navigate to Method Lists
Go to Configuration → Security → AAA → AAA Method List → Authentication
Create Method List
Step 4: Configure WLAN for EasyPSK
For EasyPSK authentication (unique PSK per user), configure your WLAN to use MAC-RADIUS authentication with PSK:
Navigate to WLANs
Go to Configuration → Tags & Profiles → WLANs and select your WLAN (or create new)
Configure Security
Under the Security tab → Layer 2:
- Layer 2 Security: WPA2 + WPA3
- WPA2 Policy: Enabled
- WPA2 Encryption: AES (CCMP)
- Auth Key Management: PSK
Enable MAC Filtering
Under Security → Layer 2 → MAC Filtering:
- MAC Filtering: Enabled
- Authorization List: NETKEY-AUTH
Configure AAA
Under Security → AAA:
- Authentication List: NETKEY-AUTH
- Authorization List: NETKEY-AUTH
Configuration via CLI
For those who prefer the command line, here's the complete CLI configuration:
RADIUS Server Configuration
! Configure RADIUS server
radius server NETKEY-RADIUS
address ipv4 your-radius-server auth-port 1812 acct-port 1813
key YOUR_SHARED_SECRET
timeout 5
retransmit 3
! Create server group
aaa group server radius NETKEY-GROUP
server name NETKEY-RADIUS
mac-delimiter colon
! Create authentication method list
aaa authentication dot1x NETKEY-AUTH group NETKEY-GROUP
aaa authorization network NETKEY-AUTH group NETKEY-GROUPWLAN Configuration for EasyPSK
! Configure WLAN for EasyPSK
wlan NETKEY-PSK 1 NETKEY-PSK
security wpa psk set-key ascii 0 DefaultPSK123
security wpa akm psk
security wpa wpa2
security wpa wpa2 ciphers aes
mac-filtering NETKEY-AUTH
no shutdown
! Associate WLAN with policy profile
wireless profile policy NETKEY-POLICY
aaa-override
vlan 100
no shutdown
! Create policy tag
wireless tag policy NETKEY-TAG
wlan NETKEY-PSK policy NETKEY-POLICYThe "DefaultPSK123" is a placeholder. The actual PSK used will be returned by NetKey via the RADIUS response, overriding this default.
WLAN Configuration for 802.1X
! Configure WLAN for 802.1X (PEAP/EAP-TLS)
wlan NETKEY-DOT1X 2 NETKEY-Enterprise
security dot1x authentication-list NETKEY-AUTH
security wpa akm dot1x
security wpa wpa2
security wpa wpa2 ciphers aes
no shutdown
! Associate with policy profile
wireless profile policy NETKEY-DOT1X-POLICY
aaa-override
no shutdown
wireless tag policy NETKEY-DOT1X-TAG
wlan NETKEY-DOT1X policy NETKEY-DOT1X-POLICYiPSK Configuration (Identity PSK)
Identity PSK allows you to assign unique PSKs based on device MAC address, perfect for IoT device onboarding.
Requirements
- IOS-XE 17.3 or later
- WPA2-PSK or WPA3-SAE
- MAC filtering enabled
CLI Configuration
! Configure WLAN for iPSK
wlan NETKEY-IPSK 3 NETKEY-Devices
security wpa psk set-key ascii 0 FallbackPSK123
security wpa akm psk
security wpa wpa2
security wpa wpa2 ciphers aes
mac-filtering NETKEY-AUTH
no shutdown
! Enable AAA override for dynamic PSK
wireless profile policy NETKEY-IPSK-POLICY
aaa-override
ipv4 dhcp required
vlan 200
no shutdownWhen a device connects, the WLC sends the MAC address to NetKey. If the MAC matches an endpoint group, NetKey returns the unique PSK for that device in the RADIUS response.
Dynamic VLAN Assignment
NetKey can return VLAN assignments in the RADIUS response. To enable this:
Enable AAA Override
! Enable AAA override on the policy profile
wireless profile policy YOUR-POLICY
aaa-override
no shutdownRADIUS Attributes
NetKey returns these standard RADIUS attributes for VLAN assignment:
| Attribute | Value | Description |
|---|---|---|
| Tunnel-Type | VLAN (13) | Indicates VLAN assignment |
| Tunnel-Medium-Type | IEEE-802 (6) | 802 network type |
| Tunnel-Private-Group-ID | VLAN ID | The assigned VLAN |
Testing the Configuration
Verify RADIUS Connectivity
! Test RADIUS server reachability
test aaa group NETKEY-GROUP testuser testpassword new-code
! Check RADIUS statistics
show aaa servers
show radius statisticsCheck Client Authentication
! View connected clients
show wireless client summary
! View detailed client info
show wireless client mac-address AA:BB:CC:DD:EE:FF detailDebug Commands
! Enable RADIUS debugging (use sparingly)
debug aaa authentication
debug aaa authorization
debug radius
! Disable debugging
undebug allDebug commands can impact controller performance. Use them only during troubleshooting and disable immediately after.
Troubleshooting
Common Issues
RADIUS Server Not Responding
- Verify network connectivity:
ping your-radius-server - Check firewall allows UDP 1812/1813 outbound
- Verify shared secret matches exactly
- Check
show aaa serversfor error counts
Authentication Rejected
- Verify PSK exists and is not expired in NetKey
- Check MAC delimiter setting (should be colon)
- Review NetKey Auth Logs for detailed error
- Ensure SSID is configured in NetKey group settings
VLAN Not Being Assigned
- Verify
aaa-overrideis enabled on policy profile - Check VLAN exists on WLC and is trunked to APs
- Verify PSK has VLAN assigned in NetKey
- Check client detail:
show wireless client mac-address XX:XX:XX detail