Differences

This shows you the differences between two versions of the page.

--- technical:ppsk-overview [2024/04/18 07:18] – [History] system
+++ technical:ppsk-overview [2024/04/27 06:16] (current) – system
@@ Line 1: / Line 1: @@
+<nav type="pills" justified="false">
+  * [[:user_manuals|Back to Documentation]]
+  * [[:technical:ppsk-overview|PPSK Overview]]
+</nav>
+-----
 ====== Private PSK (PPSK) Overview ======
 ===== Introduction =====
-  * Private Pre Shared Key (PPSK) is a feature that allows **multiple** WiFi keys to be used on a **single** SSID.
+  * Private Pre Shared Key (PPSK) is a function that allows **multiple** WiFi keys to be used for a **single** SSID.
-  * It can be compared to a door which will allow people with different keys to unlock it and gain access to a building.
+  * It can be compared to a door that can be unlocked by people with different keys to gain access to a building.
-  * This then stands in contrast to a door where everyone has the same key to unlock it and gain access to a building.
+  * This is in contrast to a door where everyone has the same key to unlock it and gain access to a building.
-  * The advantage of using different keys lies in the ease of management.
+  * The advantage of using different keys is the ease of management.
-  * If you have a small office setup where an employee perhaps leave the company on a bad foot and you want to make sure he can not gain access to the WiFi network.
+  * Suppose you have a small office setup where an employee leave the company on a bad foot  and you want to make sure they do not get access to the WiFi network.
-  * Without Pre Shared key support you have to:
+  * Without the support of PPSK you need to:
-    * Change the shared key on the Access Point(s).
+    * Change the shared key on the access point(s).
-    * Inform everyone that the WiFi key now changed and hope they will be skilled enough to update each device which are configured to connect to the office's WiFi network.
+    * Inform all employees that the WiFi key has changed and hopefully they will be smart enough to update any devices that are configured to connect to the office WiFi network.
-    * Another place where you might need to update the WiFi key will be all the peripherals that connects to the network including printers, scanners and cameras.
+    * Another place where you need to update the WiFi key is any peripherals that are connected to the network, including printers, scanners and cameras.
-  * With Pre Shared key support you can simply revoke the employees PPSK.
+  * With PPSK support, you simply revoke the PPSK of employees.
+  * Also using one SSID with multiple keys improves bandwidth utilisation and provides a simplified user experience.
+------
 ===== History =====
-  * The PPSK feature has been around for a long time already.
+  * The PPSK function has been around for a long time.
-  * Aerohive (now Extreme Networks) was probably the first vendor to come up with the feature more than 8 years ago.
+  * Aerohive (now Extreme Networks) was probably the first vendor to come up with this feature more than 8 years ago.
-  * Most enterprise vendors caught up and added the feature but some ignored the feature request for many years. ([[https://community.ui.com/questions/Any-plans-for-Private-PSK/3133c6d5-b24b-48cb-ae00-7d30abfe6422|Here]] you can see a post where the Ubiquity users were asking for the feature already 7 years ago)
+  * Most enterprise vendors have caught up and added the feature, but some have ignored the request for this feature for years. ([[https://community.ui.com/questions/Any-plans-for-Private-PSK/3133c6d5-b24b-48cb-ae00-7d30abfe6422|Here]] you can see a post where the Ubiquity community asked for this feature 7 years ago)
-  * Ubiquity finally implemented the feature in 2023 in Unifi.
+  * Ubiquity finally implemented the feature in Unifi in 2023.
-  * This was probably due to the fact that Omada from TP-Link has the feature included and that some of the Ubiquity customers that wanted the feature then opted for Omada.
+  * This was probably because TP-Link's Omada already included the feature and some of the Ubiquity customers who wanted the feature then opted for Omada.
-  * The Ubiquity implementation, however does not include a RADIUS option where the Omada implementation does.
+  * However, the Ubiquity implementation does not include a RADIUS option, whereas the Omada implementation does.
-  * Some people consider Omada a copy of Unifi. With PPSK we can say definitely say Omada took the initiative before Unifi.
+  * Some people think Omada is a copy of Unifi. With PPSK, we can definitely say that Omada took the initiative before Unifi.
-  * Each vendor has their own unique implementation and sometimes they also have their own terminology.
+  * Each vendor has its own unique implementation and sometimes its own terminology.
      * Cisco calls it **Identity PSK**.
      * Aruba calls it **Multiple Pre-Shared Key (MPSK)**.
      * Ruckus calls it **Dynamic PSK**.
-  * Some of the names and technologies have been branded and trademarked.
+  * Some of the names and technologies are trademarked and protected.
-  * Underneath the hood, however most of the vendors who recently added the PPSK feature uses the **hostapd** program.
+  * Under the hood, however, most providers that have recently added the PPSK function use the **hostapd** programme.
   * **hostapd** is an open source authenticator for WiFi APs.
-  * This feature provides two main functions.
+  * This feature offers two main functions.
-      * The ability for each device that connects to a single SSID to have a **unique** WPA2 Shared Key.
+      * The ability for each device that connects to a single SSID to have a **unique** WPA2 shared key.
-      * The option for each device to be assigned to a predefined VLAN after authentication.
+      * The ability for each device to be assigned to a predefined VLAN after authentication.
-===== Advantages  =====
-Your next question might be //"OK, so why would I want to use this feature?"// or even //"Where do you use this feature?"//
-  * The Private PSK allows you to use secure, device-bound credentials.
-  * This allows clients to securely authenticate and join the network using a **specific device and PSK combination**.
-  * This enhances security and deployment flexibility for headless IoT devices.
-  * Optional dynamic VLAN assignment further enhances the security and manageability.
-  * RADIUSdesk is used to centrally manage device and PSK matching.
-  * A PSK on the device owner's profile is the most generic solution.
-  * A more granular option will be a PSK on the device owner.
-  * Finally there is an option for a PSK on the device itself.
-  * Other features included with RADIUSdesk are available also to use:
-        * Future date activation.
-        * Expiry date.
-        * Time slots when the network can be used by the device.
-  * One SSID can support all these features.
-  * Using one SSID improves bandwidth utilization and provides a simplified user experience.
-  * The easy to use on-boarding Captive Portal minimize support calls.
-===== Implementation =====
-  * We will split this into two categories. One for small deployments and another for large deployments.
-==== Small deployments ====
-{{:technical:psk:privatepsk.png?nolink|}}
-  * In a small deployment you need a minimum of one Access Point.
-  * Private PSK is also supported in the mesh networks managed by MESHdesk.
-  * You don't need any VLAN aware equipment, the VLAN assignment will be internal.
-  * You will typically have:
-        * A Single SSID that is configured for Private PSK security.
-        * The On-boarding Captive Portal.
-        * A LAN bridge
-        * Zero or more NAT+DHCP networks
-        * Zero or more OpenVPN bridges.
-  * Includes small offices or home deployments
-==== Large deployments  (MDU - Multi-dwelling building, Apartments, Hotels. etc) ====
-{{:technical:psk:privatepsk_large.png?nolink|}}
-  * With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk.
-  * These deployments will include working together with other components to provide an integrated solution.
-  * You will typically have
-        * A common SSID that is configured for Private PSK security on all the Access Points.
-        * External / Central on-boarding Captive Portal.
-        * Multiple VLAN enabled switches.
-        * A firewall that hosts multiple networks, each of which is linked to a different VLAN.
-  * Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices.
-<WRAP center round info 100%>
-  * You might have noticed that the Access Points in the picture are the Aruba AP105.
-  * RADIUSdesk provides a solution for networking and does not sell hardware.
-  * The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment.
-  * No vendor lock-in :-)
-</WRAP>
+-----------
 ===== Why not 802.1x? =====
-  * WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it.
+  * WPA2 Enterprise is definitely more secure, but there are two problems that prevent most people from implementing it.
-  * Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting.
+  * The certificate management. The Certificate Authority (CA) certificate must be installed on the client that is connecting.
-  * Not all WiFi devices support it.
+  * Not all WiFi devices support this.
         * Many IOT devices do not support WPA2-Enterprise
         * Many printers and WiFi cameras do not support WPA2-Enterprise.
-  * RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.