This is an old revision of the document!


Private PSK (PPSK) Overview

  • Private Pre Shared Key (PPSK) is a function that allows multiple WiFi keys to be used for a single SSID.
  • It can be compared to a door that can be unlocked by people with different keys to gain access to a building.
  • This is in contrast to a door where everyone has the same key to unlock it and gain access to a building.
  • The advantage of using different keys is the ease of management.
  • If you have a small office setup where an employee perhaps leave the company on a bad foot and you want to make sure they do not get access to the WiFi network.
  • Without the support of Pre Shared Key you need to:
    • Change the shared key on the access point(s).
    • Inform all employees that the WiFi key has changed and hopefully they will be smart enough to update any devices that are configured to connect to the office WiFi network.
    • Another place where you need to update the WiFi key is any peripherals that are connected to the network, including printers, scanners and cameras.
  • With pre-shared key support, you simply revoke the PPSK of employees.
  • The PPSK function has been around for a long time.
  • Aerohive (now Extreme Networks) was probably the first vendor to come up with this feature more than 8 years ago.
  • Most enterprise vendors have caught up and added the feature, but some have ignored the request for this feature for years. (Here you can see a post where the Ubiquity community asked for this feature 7 years ago)
  • Ubiquity finally implemented the feature in Unifi in 2023.
  • This was probably because TP-Link's Omada already included the feature and some of the Ubiquity customers who wanted the feature then opted for Omada.
  • However, the Ubiquity implementation does not include a RADIUS option, whereas the Omada implementation does.
  • Some people think Omada is a copy of Unifi. With PPSK, we can definitely say that Omada took the initiative before Unifi.
  • Each vendor has its own unique implementation and sometimes its own terminology.
    • Cisco calls it Identity PSK.
    • Aruba calls it Multiple Pre-Shared Key (MPSK).
    • Ruckus calls it Dynamic PSK.
  • Some of the names and technologies are trademarked and protected.
  • Under the hood, however, most providers that have recently added the PPSK function use the hostapd programme.
  • hostapd is an open source authenticator for WiFi APs.
  • This feature offers two main functions.
    • The ability for each device that connects to a single SSID to have a unique WPA2 shared key.
    • The ability for each device to be assigned to a predefined VLAN after authentication.

Your next question might be “OK, so why would I want to use this feature?” or even “Where do you use this feature?”

  • The Private PSK allows you to use secure, device-bound credentials.
  • This allows clients to securely authenticate and join the network using a specific device and PSK combination.
  • This enhances security and deployment flexibility for headless IoT devices.
  • Optional dynamic VLAN assignment further enhances the security and manageability.
  • RADIUSdesk is used to centrally manage device and PSK matching.
  • A PSK on the device owner's profile is the most generic solution.
  • A more granular option will be a PSK on the device owner.
  • Finally there is an option for a PSK on the device itself.
  • Other features included with RADIUSdesk are available also to use:
    • Future date activation.
    • Expiry date.
    • Time slots when the network can be used by the device.
  • One SSID can support all these features.
  • Using one SSID improves bandwidth utilization and provides a simplified user experience.
  • The easy to use on-boarding Captive Portal minimize support calls.
  • We will split this into two categories. One for small deployments and another for large deployments.

  • In a small deployment you need a minimum of one Access Point.
  • Private PSK is also supported in the mesh networks managed by MESHdesk.
  • You don't need any VLAN aware equipment, the VLAN assignment will be internal.
  • You will typically have:
    • A Single SSID that is configured for Private PSK security.
    • The On-boarding Captive Portal.
    • A LAN bridge
    • Zero or more NAT+DHCP networks
    • Zero or more OpenVPN bridges.
  • Includes small offices or home deployments

  • With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk.
  • These deployments will include working together with other components to provide an integrated solution.
  • You will typically have
    • A common SSID that is configured for Private PSK security on all the Access Points.
    • External / Central on-boarding Captive Portal.
    • Multiple VLAN enabled switches.
    • A firewall that hosts multiple networks, each of which is linked to a different VLAN.
  • Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices.
  • You might have noticed that the Access Points in the picture are the Aruba AP105.
  • RADIUSdesk provides a solution for networking and does not sell hardware.
  • The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment.
  • No vendor lock-in :-)
  • WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it.
  • Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting.
  • Not all WiFi devices support it.
    • Many IOT devices do not support WPA2-Enterprise
    • Many printers and WiFi cameras do not support WPA2-Enterprise.
  • RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.
  • technical/ppsk-overview.1713419461.txt.gz
  • Last modified: 2024/04/18 07:51
  • by system