I recently wrote an article on PPSK, something I consider to be one of the best features of Extreme Networks’ XIQ. After reading it through, I realized I might need to take a small step back and explain a little more about where PPSK came from and why it was so useful in resolving issues that people face on their network.
What is a PPSK?
A PPSK is a Private Pre-Shared Key. If you’re familiar with wi-fi networks you’ll know what that means. If you’re not, here’s what a pre-shared key is and why a private version is a good thing.
You probably already know what a pre-shared key is as you’re almost certainly using one at home. WPA2 or a static PSK SSID is what your BT Home Hub (other broadband service providers are available) is broadcasting. Simply put, a PSK is a multi-character passphrase used to get a client device (laptop, tablet, phone etc.) onto a wi-fi network. This is very useful as it’s simple to understand and most, if not all, devices accept this method to get onto the network. So, if such a simple way exists to get onto a wi-fi network why do we need anything else?
On a simple PSK SSID, all of the devices connected use the same key. This is great for new people connecting for the first time, but what about if someone leaves or if someone loses a device? In those scenarios, the simple PSK that everyone is using should be changed. In turn, this means everyone needs to change the key on all of their devices.
If all users are using the same key, this also means that all users are on the same user profile with the same VLAN, the same firewalling policies and the same traffic settings. Whilst you probably don’t care when there are a handful of devices on your home network, this doesn’t scale when you have hundreds or thousands of devices to support. It also doesn’t help if you need to troubleshoot a specific device.
If PSK doesn’t scale, what should you use in an enterprise network? This is where 802.1X/EAP comes in. This is the most secure authentication method. Each user gets unique credentials, where you can assign multiple user profiles to a single SSID. You can leverage RADIUS attributes to assign different groups different traffic settings, and if someone leaves or a device is lost you can change that individual credential without impacting everyone else on the network.
So, if 802.1X/EAP is so good why would we need something like PPSK? To start with, it can be tricky to deploy. Some devices do not accept this connection method and it wouldn’t work for a guest network. What we need is something that combines the simplicity of a PSK with the security and manageability of 802.1X/EAP. You guessed it - PPSK.
With a PPSK SSID you can assign unique credentials to each user and device, if someone leaves or a device is lost then you can change that one PPSK credential. You can assign multiple user profiles to a single SSID and you can leverage user groups to assign traffic settings on a user or device basis. PPSK is a connection method that almost all devices understand, so it’s easy to deploy, doesn’t require PKI, certificates or RADIUS services. Also, it solves the static PSK problem.
Sounds almost too good to be true. In reality, we’re just scratching the surface of the potential. In a future article we will cover how we can deploy PPSKs via numerous deployment methods (such as text / e-mail or kiosk) and how they can be deployed according to time-based policies for further granularity and better guest onboarding.