When setting up an enterprise wireless network, it is common to configure WPA2-PSK authentication in order to onboard different users on to the wireless network. However, IT administrators may still encounter some drawbacks with this method of authentication when they need to use different PSKs in order to assign different VLANs or firewall rules to different groups of users. While using 802.1X authentication IT administrators can provide this level of role assignment but that is not possible in each and every scenario as there might be IoT devices or other headless devices that do not support RADIUS authentication. So far this led to two common setups which each have some drawbacks:
- For each device type a new SSID with a dedicated PSK is being used. This creates a lot of RF overhead and lowers possible throughputs.
- Create a single SSID with one PSK shared for all devices, not capable of Radius. This creates a big security and management issue. If this single PSK gets leaked, you need to reconfigure every device with a new PSK.
This is the use case that can be solved using Identity Pre-Shared Key (IPSK) without RADIUS, which allows you to configure multiple PSKs for a single SSID. IPSK without RADIUS allows a network administrator to use multiple PSKs per SSID without the use of a RADIUS server. Further, the feature allows you to assign group policies in the dashboard based on the PSK used by the client device to authenticate to the WiFi network. There is a limit of configuring up to 50 PSKs per SSID in Dashboard.
This document will walk you through on how to configure IPSK without RADIUS in the dashboard.
NOTE: This feature is only supported on firmware MR 27.1 onwards and all 802.11ac wave2 and 802.11ax APs. Hence networks with older APs will not have this feature enabled for them even with a firmware upgrade.
NOTE: The feature is also supported with API endpoints. Please browse to the dashboard > Help > API Docs for more information
NOTE: Note: iPSK without RADIUS does not support WPA3 encryption.
Enabling and Configuring IPSK without RADIUS Authentication
Configuration on the dashboard is as follows:
1. Navigate to Wireless > Configure > Access Control.
2. Under SSID, select the SSID from the drop-down that you want to configure.
3. Select IPSK without RADIUS from the Association Requirements section of the page.
4. Select the Add an Identity PSK option.
5. Here you can define a name for the PSK to Group Policy mapping and define a unique PSK.
6. Once the PSK is defined you have the option to select the Group Policy from the drop-down that are defined in the dashboard. Please refer to the Creating and Applying Group Policies article to add a new Group Policy.
NOTE: A maximum of 50 PSKs can be configured per SSID. Each PSK has to be at least 8 to 63 alphanumeric characters long.
7. Click Add and Save changes.
8. Once configured you can use the show button to see the PSK configured for each mapping
9. Clicking on the Name of the PSK to Group policy mapping will allow you to modify the mapping on the dashboard.
NOTE: Modifying/Removing the PSK will cause clients to disconnect using that specific PSK only. Other wireless clients using a different PSK will still be connected without any issues. Similarly adding a new PSK will have no impact on existing client devices connected to the SSID.
10. Clicking the Add button on the top right will allow to add new PSKs to the SSID and clicking on the checkbox and clicking Delete will allow removing the PSK from the SSID