Private PSK (PPSK) Overview
Introduction
MESHdesk and APdesk now include support for Private PSKs.
This feature has been available from some vendors for a while although each vendor has their own unique implementation and sometimes they also have their own terminology.
Cisco calls it Identity PSK.
Aruba calls it Multiple Pre-Shared Key (MPSK).
Ruckus calls it Dynamic PSK.
Some of the names and technologies have been branded and trademarked.
This feature provides two main functions.
Advantages
Your next question might be “OK, so why would I want to use this feature?” or even “Where do you use this feature?”
The Private PSK allows you to use secure, device-bound credentials.
This allows clients to securely authenticate and join the network using a specific device and PSK combination.
This enhances security and deployment flexibility for headless IoT devices.
Optional dynamic VLAN assignment further enhances the security and manageability.
RADIUSdesk is used to centrally manage device and PSK matching.
A PSK on the device owner's profile is the most generic solution.
A more granular option will be a PSK on the device owner.
Finally there is an option for a PSK on the device itself.
Other features included with RADIUSdesk are available also to use:
One SSID can support all these features.
Using one SSID improves bandwidth utilization and provides a simplified user experience.
The easy to use on-boarding Captive Portal minimize support calls.
Implementation
Small deployments
In a small deployment you need a minimum of one Access Point.
Private PSK is also supported in the mesh networks managed by MESHdesk.
You don't need any VLAN aware equipment, the VLAN assignment will be internal.
You will typically have:
A Single SSID that is configured for Private PSK security.
The On-boarding Captive Portal.
-
Zero or more NAT+DHCP networks
Zero or more OpenVPN bridges.
Includes small offices or home deployments
Large deployments (MDU - Multi-dwelling building, Apartments, Hotels. etc)
With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk.
These deployments will include working together with other components to provide an integrated solution.
You will typically have
A common SSID that is configured for Private PSK security on all the Access Points.
External / Central on-boarding Captive Portal.
Multiple VLAN enabled switches.
A firewall that hosts multiple networks, each of which is linked to a different VLAN.
Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices.
You might have noticed that the Access Points in the picture are the Aruba AP105.
RADIUSdesk provides a solution for networking and does not sell hardware.
The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment.
No vendor lock-in

Why not 802.1x?
WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it.
Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting.
Not all WiFi devices support it.
RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.