<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:technical:ppsk-overview|PPSK Overview]]
</nav>

-----
====== Private PSK (PPSK) Overview ======
===== Introduction =====
  * Private Pre Shared Key (PPSK) is a function that allows **multiple** WiFi keys to be used for a **single** SSID.
  * It can be compared to a door that can be unlocked by people with different keys to gain access to a building.
  * This is in contrast to a door where everyone has the same key to unlock it and gain access to a building.
  * The advantage of using different keys is the ease of management.
  * Suppose you have a small office setup where an employee leave the company on a bad foot  and you want to make sure they do not get access to the WiFi network.
  * Without the support of PPSK you need to:
    * Change the shared key on the access point(s).
    * Inform all employees that the WiFi key has changed and hopefully they will be smart enough to update any devices that are configured to connect to the office WiFi network.
    * Another place where you need to update the WiFi key is any peripherals that are connected to the network, including printers, scanners and cameras.
  * With PPSK support, you simply revoke the PPSK of employees.
  * Also using one SSID with multiple keys improves bandwidth utilisation and provides a simplified user experience.

------

===== History =====
  * The PPSK function has been around for a long time.
  * Aerohive (now Extreme Networks) was probably the first vendor to come up with this feature more than 8 years ago.
  * Most enterprise vendors have caught up and added the feature, but some have ignored the request for this feature for years. ([[https://community.ui.com/questions/Any-plans-for-Private-PSK/3133c6d5-b24b-48cb-ae00-7d30abfe6422|Here]] you can see a post where the Ubiquity community asked for this feature 7 years ago)
  * Ubiquity finally implemented the feature in Unifi in 2023. 
  * This was probably because TP-Link's Omada already included the feature and some of the Ubiquity customers who wanted the feature then opted for Omada.
  * However, the Ubiquity implementation does not include a RADIUS option, whereas the Omada implementation does.
  * Some people think Omada is a copy of Unifi. With PPSK, we can definitely say that Omada took the initiative before Unifi.
  * Each vendor has its own unique implementation and sometimes its own terminology.
     * Cisco calls it **Identity PSK**.
     * Aruba calls it **Multiple Pre-Shared Key (MPSK)**.
     * Ruckus calls it **Dynamic PSK**.
  * Some of the names and technologies are trademarked and protected.
  * Under the hood, however, most providers that have recently added the PPSK function use the **hostapd** programme.
  * **hostapd** is an open source authenticator for WiFi APs.
  * This feature offers two main functions.
      * The ability for each device that connects to a single SSID to have a **unique** WPA2 shared key.
      * The ability for each device to be assigned to a predefined VLAN after authentication. 

-----------

===== Why not 802.1x? =====
  * WPA2 Enterprise is definitely more secure, but there are two problems that prevent most people from implementing it.
  * The certificate management. The Certificate Authority (CA) certificate must be installed on the client that is connecting.  
  * Not all WiFi devices support this.
        * Many IOT devices do not support WPA2-Enterprise
        * Many printers and WiFi cameras do not support WPA2-Enterprise.