Private PSK (PPSK) Overview

• Private Pre Shared Key (PPSK) is a feature that allows multiple WiFi keys to be used on a single SSID.
• It can be compared to a door which will allow people with different keys to unlock it and gain access to a building.
• This then stands in contrast to a door where everyone has the same key to unlock it and gain access to a building.
• The advantage of using different keys lies in the ease of management.
• If you have a small office setup where an employee perhaps leave the company on a bad foot and you want to make sure he can not gain access to the WiFi network.
• Without Pre Shared key support you have to:
  • Change the shared key on the Access Point(s).
  • Inform everyone that the WiFi key now changed and hope they will be skilled enough to update each device which are configured to connect to the office's WiFi network.
  • Another place where you might need to update the WiFi key will be all the peripherals that connects to the network including printers, scanners and cameras.
• With Pre Shared key support you can simply revoke the employees PPSK.

• The PPSK feature has been around for a long time already.
• Aerohive (now Extreme Networks) was probably the first vendor to come up with the feature more than 8 years ago.
• Most enterprise vendors caught up and added the feature but some ignored the feature request for many years. (Here you can see a post where the Ubiquity community were asking for the feature already 7 years ago)
• Ubiquity finally implemented the feature in 2023 in Unifi.
• This was probably due to the fact that Omada from TP-Link has the feature included and that some of the Ubiquity customers that wanted the feature then opted for Omada.
• The Ubiquity implementation, however does not include a RADIUS option where the Omada implementation does.
• Some people consider Omada a copy of Unifi. With PPSK we can say definitely say Omada took the initiative before Unifi.
• Each vendor has their own unique implementation and sometimes they also have their own terminology.
  • Cisco calls it Identity PSK.
  • Aruba calls it Multiple Pre-Shared Key (MPSK).
  • Ruckus calls it Dynamic PSK.
• Some of the names and technologies have been branded and trademarked.
• Underneath the hood, however most of the vendors who recently added the PPSK feature uses the hostapd program.
• hostapd is an open source authenticator for WiFi APs.
• This feature provides two main functions.
  • The ability for each device that connects to a single SSID to have a unique WPA2 Shared Key.
  • The option for each device to be assigned to a predefined VLAN after authentication.

Your next question might be “OK, so why would I want to use this feature?” or even “Where do you use this feature?”

• The Private PSK allows you to use secure, device-bound credentials.
• This allows clients to securely authenticate and join the network using a specific device and PSK combination.
• This enhances security and deployment flexibility for headless IoT devices.
• Optional dynamic VLAN assignment further enhances the security and manageability.
• RADIUSdesk is used to centrally manage device and PSK matching.
• A PSK on the device owner's profile is the most generic solution.
• A more granular option will be a PSK on the device owner.
• Finally there is an option for a PSK on the device itself.
• Other features included with RADIUSdesk are available also to use:
  • Future date activation.
  • Expiry date.
  • Time slots when the network can be used by the device.
• One SSID can support all these features.
• Using one SSID improves bandwidth utilization and provides a simplified user experience.
• The easy to use on-boarding Captive Portal minimize support calls.

• We will split this into two categories. One for small deployments and another for large deployments.

• In a small deployment you need a minimum of one Access Point.
• Private PSK is also supported in the mesh networks managed by MESHdesk.
• You don't need any VLAN aware equipment, the VLAN assignment will be internal.
• You will typically have:
  • A Single SSID that is configured for Private PSK security.
  • The On-boarding Captive Portal.
  • A LAN bridge
  • Zero or more NAT+DHCP networks
  • Zero or more OpenVPN bridges.
• Includes small offices or home deployments

• With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk.
• These deployments will include working together with other components to provide an integrated solution.
• You will typically have
  • A common SSID that is configured for Private PSK security on all the Access Points.
  • External / Central on-boarding Captive Portal.
  • Multiple VLAN enabled switches.
  • A firewall that hosts multiple networks, each of which is linked to a different VLAN.
• Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices.

• WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it.
• Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting.
• Not all WiFi devices support it.
  • Many IOT devices do not support WPA2-Enterprise
  • Many printers and WiFi cameras do not support WPA2-Enterprise.
• RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.