Wi-Fi Personal Network (WPN)
Click 日本語 for Japanese
Learn more with these free online training courses on the Meraki Learning Hub:
Overview
Large enterprise environments where users share the same Wi-Fi network to connect their devices present unique challenges. For example, users might find it difficult to discover their own devices among the magnitude of other devices on the same network when using discovery protocols like AirPlay. In addition, malicious actors can exploit these protocols after gaining access to the shared and sometimes insecure wireless networks in university dorms, hotels, senior homes, etc.
Wireless Personal Network (WPN) solves these challenges by segmenting the wireless network per-user basis and providing a home-like user experience. In addition, WPN provides a contained environment to each user where discovery protocols like AirPlay allow users to discover only their own devices connected to an SSID shared by other devices.
Even better, WPN allows for segmenting discovery protocols and unicast traffic on a single VLAN, thus, eliminating the burden of configuring different VLANs per floor, room, or location and simplifying network management.
WPN Under the Hood
WPN relies on the use of our 'Identity PSK (iPSK) without RADIUS' feature. Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their group.
WPN leverages Generic UDP Encapsulation (GUE) to separate wireless devices belonging to different iPSK groups by adding WPN IDs in GUE headers and forwarding packets between devices with identical WPN IDs.
When two wireless devices on the same VLAN using the same WPN ID are connected to different APs, the source AP adds the GUE encapsulation header with the WPN ID and sends the traffic to the LAN, where it’s being switched usually by the switching infrastructure. The destination AP removes the WPN tag by decapsulating the packet and forwards it to the wireless clients in the same iPSK group.
A WPN ID is added to all packets sent by wireless clients connected to the SSID with WPN enabled except packets destined for a default gateway.
Supported Models and Firmware
The following access points support the WPN:
MR Family |
MR Models |
Minimum Firmware |
Wi-Fi 6E | CW9162, CW9164, CW9166, CW9166D1 |
MR 29.4.1 or newer |
Wi-Fi 6 and Wi-Fi 6E (802.11ax) |
MR45, MR55, MR28, MR36, MR36H, MR44, MR46, MR46E. MR56, MR76, MR86, MR57, MR78 |
|
Wi-Fi 5 Wave 2 (802.11ac Wave 2) |
MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84 |
Caveats and Limitations
-
WPN can be enabled with the following authentication types
-
iPSK without RADIUS (MR 29.4.1+ firmware)
-
Enterprise with my RADIUS (MR 30.1+ firmware)
-
MAC-based access control (no encryption) (MR 30.1+ firmware)
-
Identity PSK with RADIUS (MAC-based Authentication) (MR 30.1+ firmware)
-
-
Up to 5,000 iPSK groups per SSID and up to 2x SSIDs with WPN enabled per dashboard network are supported.
-
Wireless devices connected to a WPN-enabled SSID cannot communicate with wired devices on the same VLAN (L2 domain) except for the default gateway.
-
Wireless devices connected to a WPN-enabled SSID can communicate with wired devices on a different VLAN through L3 routing.
-
Meraki AP assigned (NAT mode) is not supported on an SSID with WPN enabled.
-
External DHCP server assigned (Bridged) mode must be used instead. The Tunneled mode is not supported.
-
Configuration
Note: This configuration assumes you want to use Identity PSK without RADIUS with WPN. See WPN Support for RADIUS-based Authentication Types for configuration with other supported authentication types.
WPN relies on the use of Identity PSK (iPSK). Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their network segment.
To configure WPN, please follow these steps:
-
Navigate to Network-wide > Configure > Group policies and create at least one group. You can learn more about creating and applying group policies in this guide.
-
Navigate to Wireless > Configure > Access control.
-
Select the desired SSID from the dropdown menu at the top of the page.
4. Select Identity PSK without RADIUS under Security and click on Add an Identity PSK.
5. Configure a name and passphrase; select a group policy.
6. Use the Add button to configure other iPSK groups as needed.
7. Set Wi-Fi Personal Network (WPN) to Enabled
Note: The Wi-Fi Personal Network (WPN) option is only displayed when at least one iPSK group is configured.
8. Save changes on the bottom of the page.
Monitoring
iPSK names used by client devices can be monitored via Meraki dashboard and APIs. This feature is not specific for WPN and works for iPSK without RADIUS. Please see IPSK Authentication without RADIUS for more information.
User Onboarding
For large-scale deployments, user onboarding is typically done using a self-service portal. We recommend using the Cisco exclusive partner Splash Access, allowing users to authenticate using an Identity Provider and create unique PSKs synced back to the Meraki dashboard via APIs.
MR 30.X WPN Enhancements
We added the following enhancements to the WPN feature in the MR 30.X firmware:
-
WPN support on MR30H/MR36H LAN ports
-
Ability to view the number of client devices using a particular iPSK
WPN Support on MR30H/MR36H LAN ports
We extended WPN support to wired clients connected to MR30H and MR36H wired ports. This enhancement allows wired and wireless clients to share the same WPN group. This can be done in two ways described below.
WPN Assignment via Port Profiles
AP Port Profiles provide the ability to map an SSID to wired ports on 2- and 4-port access points. In addition, you can use port profiles to assign a WPN name (iPSK name) manually to ports on MR.
Note: WPN assignment via port profiles is only supported for the 4 port profile type.
Please follow these steps:
-
Navigate to Wireless > Configure > Access control page
-
Select Identity PSK without RADIUS under Security
-
Set Wi-Fi Personal Network (WPN) to “Enabled”
-
Save changes at the bottom of the page.
6. Go to the Wireless > Configure > Port Profiles page and create a new profile (profile type (4-ports with USB)
7. Assign the previously configured SSID to an MR30H/36H LAN port
8. Select one of the iPSK names configured on that SSID from the dropdown and assign it to an MR30H/36H LAN port.
Note: Please ensure that iPSK names are unique when using this feature. While non-unique iPSK names are allowed. It would be hard to distinguish to iPSK with the same name when assigning an iPSK to an MR30H/36H LAN port.
9. Save changes at the bottom of the page.
10. Go to the Assign APs tab
11. Assign desired MR30H/36H APs to the newly created port profile.
UDN ID Assignment to MR30H/36H Ports via RADIUS
The WPN feature available on Meraki APs is loosely based on the User Defined Network (UDN) feature available on Catalyst APs. WPN and UDN use a 24-bit "UDN ID" to represent each WPN/UDN group.
Note: While the format of UDN ID is similar between WPN and UDN, some values have different meanings between the Meraki and Cisco solutions. Therefore, these solutions are not interoperable.
The UDN ID can also be assigned via RADIUS. In this case, the UDN ID is carried in a Cisco vendor-specific attribute "UDN:Private-group-id" in the RADIUS ACCESS-ACCEPT message.
The UDN ID value shall be present in “Cisco VSA 1”, a single VSA used to return key/value pairs understood by Cisco APs. In this case, the key is “UDN:Private-group-id”, and the VSA value would be “UDN:Private-group-id=the_group_id”.
The following VSA definition can be used for this purpose:
Note: The expected range of UDN IDs in ACCESS-ACCEPT is 2 - 16777200 (in decimal). UDN ID 1 is reserved for particular purposes and should not be used.
This assignment would work for wireless and wired clients using the same SSID with supported RADIUS-based authentication with the WPN option enabled.
Wired clients must be connected to an MR30H/36H port assigned to an 802.1X SSID with WPN enabled to receive a WPN id from a RADIUS server.
Note: In this setup, UDN IDs are managed entirely by the RADIUS servers. There is no iPSK configuration or monitoring in the Meraki dashboard.
To enable WPN assignment via RADIUS,
-
Navigate to Wireless > Configure > Access control
-
Set your SSID to a RADIUS-based authentication type
-
Set Wi-Fi Personal Network (WPN) to “Enabled”
WPN Support for RADIUS-based Authentication Types
The following RADIUS-based authentication types support WPN (Wireless > Configure > Access control)
-
Enterprise with my RADIUS
-
MAC-based access control (no encryption)
-
Identity PSK with RADIUS (MAC-based Authentication)
To configure WPN with these option, select an appropriate option under the Security section and set WPN to Enabled.
Once configured, APs will expect a UDN ID returned as part of the ACCESS-ACCEPT message from the RADIUS server, similar to the process described in the UDN ID Assignment to MR30H/36H Ports via RADIUS section.