Skip to main content
Cisco Meraki

Wi-Fi Personal Network (WPN)

Overview

Large enterprise environments where users share the same Wi-Fi network to connect their devices present unique challenges. For example, users might find it difficult to discover their own devices among the magnitude of other devices on the same network when using discovery protocols like AirPlay. In addition, malicious actors can exploit these protocols after gaining access to the shared and sometimes insecure wireless networks in university dorms, hotels, senior homes, etc.

Wireless Personal Network (WPN) solves these challenges by segmenting the wireless network on a per-user basis and providing a home-like user experience. In addition, WPN provides a contained environment to each user where discovery protocols like AirPlay allow users to discover only their own devices connected to an SSID shared by other devices.

Even better, WPN allows for segmenting discovery protocols and unicast traffic on a single VLAN, thus, eliminating the burden of configuring different VLANs per floor, room, or location and simplifying network management.

Note: Please reach out to Meraki support to enable this feature

WPN Under the Hood

WPN relies on the use of the Identity PSK (iPSK) without RADIUS feature. Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their group.

WPN_UNDER_HOOD_1.png

WPN leverages Generic UDP Encapsulation (GUE) to separate wireless devices belonging to different iPSK groups by adding WPN IDs in GUE headers and forwarding packets only between devices with the same WPN IDs.

When two wireless devices on the same VLAN using the same WPN ID are connected to different APs, the source AP adds the GUE encapsulation header with WPN ID and sends the traffic to the LAN, where it’s being switched normally by the switching infrastructure. The destination AP removes the WPN tag by decapsulating the packet and forwards it to the wireless clients belonging to the same iPSK group.

Screenshot at May 31 14-06-55.png

A WPN ID is added to all packets sent by wireless clients connected to the SSID with WPN enabled except packets destined for a default gateway. 

Supported Models and Firmware

The following access points support WPN on MR 29.1 or newer firmware:

MR Family

MR Models

Minimum Firmware

Wi-Fi 6E CW9162, CW9164, CW9166

MR 29.1 or newer

Wi-Fi 6 and Wi-Fi 6E (802.11ax) 

MR45, MR55, MR28, MR36, MR36H, MR44, MR46, MR46E. MR56, MR76, MR86, MR57, MR78

Wi-Fi 5 Wave 2 (802.11ac Wave 2)

MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84

 

Caveats and Limitations

  • WPN can only be enabled with iPSK without RADIUS as an authentication mechanism.

  • 5,000 iPSK groups per SSID and 2x SSIDs with WPN enabled per dashboard network are supported.

  • Wireless devices connected to a WPN-enabled SSID cannot communicate with wired devices on the same VLAN (L2 domain) except for the default gateway. 

  • Wireless devices connected to a WPN-enabled SSID can communicate with wired devices on a different VLAN through L3 routing.

  • Meraki AP assigned (NAT mode) is not supported on an SSID with WPN enabled. External DHCP server assigned mode must be used instead.

  • Wired AP ports using port profiles do not support WPN.

Configuration

WPN relies on the use of Identity PSK (iPSK). Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their network segment.

Screenshot at May 31 10-27-34.png

To configure WPN, please follow these steps:

  1. Navigate to Network-wide > Configure > Group policies and create at least one group. You can learn more about creating and applying group policies in this guide.

  2. Navigate to Wireless > Configure > Access control.

  3. Select the desired SSID from the dropdown menu at the top of the page.

Note: Please reach out to Meraki Support to have the WPN configuration available. It will be added only to the new version of the Access control page. If you are not using the new version yet, please click on ”View new version” in the top-right corner.

 4. Select Identity PSK without RADIUS under Security and click on Add an Identity PSK.

 5. Configure a name and passphrase; select a group policy.

Screenshot at May 31 10-52-46.png

 6. Use the Add button to configure other iPSK groups as needed.

 7. Set Wi-Fi Personal Network (WPN) to Enabled

Enabled/Disabled WPN option is only displayed when there's at least one iPKS configured.

Screenshot at May 31 12-49-00.png

 8. Save changes on the bottom of the page.

User Onboarding

For large-scale deployments, user onboarding is typically done using a self-service portal (for example, Splash Access) that allows users to authenticate and create their unique PSKs pushed to the Meraki dashboard via APIs.

USER_ONBOARDING.png

  • Was this article helpful?