Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| technical:ppsk-overview [2024/04/18 07:29] – [Introduction] system | technical:ppsk-overview [2024/04/27 06:16] (current) – system | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | <nav type=" | ||
| + | * [[: | ||
| + | * [[: | ||
| + | </ | ||
| + | |||
| + | ----- | ||
| ====== Private PSK (PPSK) Overview ====== | ====== Private PSK (PPSK) Overview ====== | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 5: | Line 11: | ||
| * This is in contrast to a door where everyone has the same key to unlock it and gain access to a building. | * This is in contrast to a door where everyone has the same key to unlock it and gain access to a building. | ||
| * The advantage of using different keys is the ease of management. | * The advantage of using different keys is the ease of management. | ||
| - | * If you have a small office setup where an employee | + | * Suppose | 
| - | * Without the support of Pre Shared Key you need to: | + | * Without the support of PPSK you need to: | 
| * Change the shared key on the access point(s). | * Change the shared key on the access point(s). | ||
| * Inform all employees that the WiFi key has changed and hopefully they will be smart enough to update any devices that are configured to connect to the office WiFi network. | * Inform all employees that the WiFi key has changed and hopefully they will be smart enough to update any devices that are configured to connect to the office WiFi network. | ||
| * Another place where you need to update the WiFi key is any peripherals that are connected to the network, including printers, scanners and cameras. | * Another place where you need to update the WiFi key is any peripherals that are connected to the network, including printers, scanners and cameras. | ||
| - | * With pre-shared key support, you simply revoke the PPSK of employees. | + | * With PPSK support, you simply revoke the PPSK of employees. | 
| + | * Also using one SSID with multiple keys improves bandwidth utilisation and provides a simplified user experience. | ||
| + | |||
| + | ------ | ||
| ===== History ===== | ===== History ===== | ||
| - | * The PPSK feature | + | * The PPSK function | 
| - | * Aerohive (now Extreme Networks) was probably the first vendor to come up with the feature more than 8 years ago. | + | * Aerohive (now Extreme Networks) was probably the first vendor to come up with this feature more than 8 years ago. | 
| - | * Most enterprise vendors caught up and added the feature but some ignored the feature | + | * Most enterprise vendors | 
| - | * Ubiquity finally implemented the feature in 2023 in Unifi. | + | * Ubiquity finally implemented the feature | 
| - | * This was probably | + | * This was probably | 
| - | * The Ubiquity implementation, however | + | * However, the Ubiquity implementation does not include a RADIUS option, whereas | 
| - | * Some people | + | * Some people | 
| - | * Each vendor has their own unique implementation and sometimes | + | * Each vendor has its own unique implementation and sometimes | 
| * Cisco calls it **Identity PSK**. | * Cisco calls it **Identity PSK**. | ||
| * Aruba calls it **Multiple Pre-Shared Key (MPSK)**. | * Aruba calls it **Multiple Pre-Shared Key (MPSK)**. | ||
| * Ruckus calls it **Dynamic PSK**. | * Ruckus calls it **Dynamic PSK**. | ||
| - | * Some of the names and technologies | + | * Some of the names and technologies | 
| - | * Underneath | + | * Under the hood, however, most providers that have recently added the PPSK function use the **hostapd** | 
| * **hostapd** is an open source authenticator for WiFi APs. | * **hostapd** is an open source authenticator for WiFi APs. | ||
| - | * This feature | + | * This feature | 
| - | * The ability for each device that connects to a single SSID to have a **unique** WPA2 Shared Key. | + | * The ability for each device that connects to a single SSID to have a **unique** WPA2 shared key. | 
| - | * The option | + | * The ability | 
| - | + | ||
| - | ===== Advantages | + | |
| - | Your next question might be //"OK, so why would I want to use this feature?"// | + | |
| - | + | ||
| - | * The Private PSK allows you to use secure, device-bound credentials. | + | |
| - | * This allows clients to securely authenticate and join the network using a **specific device and PSK combination**. | + | |
| - | * This enhances security and deployment flexibility for headless IoT devices. | + | |
| - | * Optional dynamic VLAN assignment further enhances the security and manageability. | + | |
| - | * RADIUSdesk is used to centrally manage device and PSK matching. | + | |
| - | * A PSK on the device owner' | + | |
| - | * A more granular option will be a PSK on the device owner. | + | |
| - | * Finally there is an option for a PSK on the device itself. | + | |
| - | * Other features included with RADIUSdesk are available also to use: | + | |
| - | * Future date activation. | + | |
| - | * Expiry date. | + | |
| - | * Time slots when the network can be used by the device. | + | |
| - | * One SSID can support all these features. | + | |
| - | * Using one SSID improves bandwidth utilization and provides a simplified user experience. | + | |
| - | * The easy to use on-boarding Captive Portal minimize support calls. | + | |
| - | + | ||
| - | + | ||
| - | ===== Implementation ===== | + | |
| - | + | ||
| - | * We will split this into two categories. One for small deployments and another for large deployments. | + | |
| - | + | ||
| - | ==== Small deployments ==== | + | |
| - | {{: | + | |
| - | * In a small deployment you need a minimum of one Access Point. | + | |
| - | * Private PSK is also supported in the mesh networks managed by MESHdesk. | + | |
| - | * You don't need any VLAN aware equipment, the VLAN assignment will be internal. | + | |
| - | * You will typically have: | + | |
| - | * A Single SSID that is configured for Private PSK security. | + | |
| - | * The On-boarding Captive Portal. | + | |
| - | * A LAN bridge | + | |
| - | * Zero or more NAT+DHCP networks | + | |
| - | * Zero or more OpenVPN bridges. | + | |
| - | * Includes small offices or home deployments | + | |
| - | + | ||
| - | ==== Large deployments | + | |
| - | {{: | + | |
| - | * With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk. | + | |
| - | * These deployments will include working together with other components to provide an integrated solution. | + | |
| - | * You will typically have | + | |
| - | * A common SSID that is configured for Private PSK security on all the Access Points. | + | |
| - | * External / Central on-boarding Captive Portal. | + | |
| - | * Multiple VLAN enabled switches. | + | |
| - | * A firewall that hosts multiple networks, each of which is linked to a different VLAN. | + | |
| - | * Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices. | + | |
| - | + | ||
| - | <WRAP center round info 100%> | + | |
| - | * You might have noticed that the Access Points in the picture are the Aruba AP105. | + | |
| - | * RADIUSdesk provides a solution for networking and does not sell hardware. | + | |
| - | * The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment. | + | |
| - | * No vendor lock-in :-) | + | |
| - | </ | + | |
| + | ----------- | ||
| ===== Why not 802.1x? ===== | ===== Why not 802.1x? ===== | ||
| - | * WPA2 Enterprise | + | * WPA2 Enterprise | 
| - | * Certificate | + | * The certificate | 
| - | * Not all WiFi devices support | + | * Not all WiFi devices support | 
| * Many IOT devices do not support WPA2-Enterprise | * Many IOT devices do not support WPA2-Enterprise | ||
| * Many printers and WiFi cameras do not support WPA2-Enterprise. | * Many printers and WiFi cameras do not support WPA2-Enterprise. | ||
| - | * RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK. | ||
| - | |||
| - | |||