Table of Contents
Private PSK (PPSK) Overview
Introduction
- MESHdesk and APdesk now include support for Private PSKs.
- This feature has been available from some vendors for a while although each vendor has their own unique implementation and sometimes they also have their own terminology.
- Cisco calls it Identity PSK.
- Aruba calls it Multiple Pre-Shared Key (MPSK).
- Ruckus calls it Dynamic PSK.
- Some of the names and technologies have been branded and trademarked.
- This feature provides two main functions.
- The ability for each device that connects to a single SSID to have a unique WPA2 Shared Key.
- The option for each device to be assigned to a predefined VLAN after authentication.
Advantages
Your next question might be “OK, so why would I want to use this feature?” or even “Where do you use this feature?”
- The Private PSK allows you to use secure, device-bound credentials.
- This allows clients to securely authenticate and join the network using a specific device and PSK combination.
- This enhances security and deployment flexibility for headless IoT devices.
- Optional dynamic VLAN assignment further enhances the security and manageability.
- RADIUSdesk is used to centrally manage device and PSK matching.
- A PSK on the device owner's profile is the most generic solution.
- A more granular option will be a PSK on the device owner.
- Finally there is an option for a PSK on the device itself.
- Other features included with RADIUSdesk are available also to use:
- Future date activation.
- Expiry date.
- Time slots when the network can be used by the device.
- One SSID can support all these features.
- Using one SSID improves bandwidth utilization and provides a simplified user experience.
- The easy to use on-boarding Captive Portal minimize support calls.
Implementation
- We will split this into two categories. One for small deployments and another for large deployments.
Small deployments
- In a small deployment you need a minimum of one Access Point.
- Private PSK is also supported in the mesh networks managed by MESHdesk.
- You don't need any VLAN aware equipment, the VLAN assignment will be internal.
- You will typically have:
- A Single SSID that is configured for Private PSK security.
- The On-boarding Captive Portal.
- A LAN bridge
- Zero or more NAT+DHCP networks
- Zero or more OpenVPN bridges.
- Includes small offices or home deployments
Large deployments (MDU - Multi-dwelling building, Apartments, Hotels. etc)
- With large deployments you can potentially have thousands of Access Points all centrally managed using MESHdesk and APdesk.
- These deployments will include working together with other components to provide an integrated solution.
- You will typically have
- A common SSID that is configured for Private PSK security on all the Access Points.
- External / Central on-boarding Captive Portal.
- Multiple VLAN enabled switches.
- A firewall that hosts multiple networks, each of which is linked to a different VLAN.
- Includes Multiple Dwelling Units (MDU), Schools, hotels and conference facilities and WiFi networks with IOT devices.
- You might have noticed that the Access Points in the picture are the Aruba AP105.
- RADIUSdesk provides a solution for networking and does not sell hardware.
- The Aruba AP105 along with many other older and current hardware are supported by OpenWrt and can thus be used in your deployment.
- No vendor lock-in
Why not 802.1x?
- WPA2 Enterprise are definitely more secure but there are two issues which usually turn people off from implementing it.
- Certificate management. The Certificate Authority (CA)'s certificate needs to be installed on the client connecting.
- Not all WiFi devices support it.
- Many IOT devices do not support WPA2-Enterprise
- Many printers and WiFi cameras do not support WPA2-Enterprise.
- RADIUSdesk along with MESHdesk and APdesk however also offer WPA2 Enterprise support should you wish to rather implement it instead of Private PSK.