====== Private PSK (PPSK) Overview ====== ===== Introduction ===== * MESHdesk and APdesk now include support for **Private PSKs**. * This feature has been available from some vendors for a while although each vendor has their own unique implementation and sometimes they also have their own terminology. * Cisco calls it **Identity PSK**. * Aruba calls it **Multiple Pre-Shared Key (MPSK)**. * Ruckus calls it **Dynamic PSK**. * Some of the names and technologies have been branded and trademarked. * This feature provides two main functions. * The ability for each device that connects to a single SSID to have a **unique** WPA2 Shared Key. * The option for each device to be assigned to a predefined VLAN after authentication. ===== Advantages ===== Your next question might be //"OK, so why would I want to use this feature?"// or even //"Where do you use this feature?"// * The Private PSK allows you to use secure, device-bound credentials. * This allows clients to securely authenticate and join the network using a **specific device and PSK combination**. * This enhances security and deployment flexibility for headless IoT devices. * Optional dynamic VLAN assignment further enhances the security and manageability. * RADIUSdesk is used to centrally manage device and PSK matching. * A PSK on the device owner's profile is the most generic solution. * A more granular option will be a PSK on the device owner. * Finally there is an option for a PSK on the device itself. * Other features included with RADIUSdesk are available also to use: * Future date activation. * Expiry date. * Time slots when the network can be used by the device. * One SSID can support all these features. * Using one SSID improves bandwidth utilization and provides a simplified user experience. * The easy to use on-boarding Captive Portal minimize support calls. ===== Implementation ===== * We will split this into two categories. One for small deployments and another for large deployments. ==== Small deployments ==== {{:technical:psk:privatepsk.png?nolink|}} * In a small deployment you need a minimum of one Access Point. * Private PSK is also supported in the mesh networks managed by MESHdesk. * You don't need any VLAN aware equipment, the VLAN assignment will be internal. * You will typically have: * A Single SSID that is configured for Private PSK security. * The On-boarding Captive Portal. * A LAN bridge * Zero or more NAT+DHCP networks * Zero or more OpenVPN bridges. * Includes small offices or home deployments ==== Large deployments (MDU - Multi-dwelling building, Apartments, Hotels. etc) ==== {{:technical:psk:privatepsk_large.png?nolink|}} * With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk. * These deployments will include working together with other components to provide an integrated solution. * You will typically have * A common SSID that is configured for Private PSK security on all the Access Points. * External / Central on-boarding Captive Portal. * Multiple VLAN enabled switches. * A firewall that hosts multiple networks, each of which is linked to a different VLAN. * Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices. * You might have noticed that the Access Points in the picture are the Aruba AP105. * RADIUSdesk provides a solution for networking and does not sell hardware. * The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment. * No vendor lock-in :-) ===== Why not 802.1x? ===== * WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it. * Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting. * Not all WiFi devices support it. * Many IOT devices do not support WPA2-Enterprise * Many printers and WiFi cameras do not support WPA2-Enterprise. * RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.