Wi-Fi Personal Network (WPN)

Overview

Large enterprise environments where users share the same Wi-Fi network to connect their devices present unique challenges. For example, users might find it difficult to discover their own devices among the magnitude of other devices on the same network when using discovery protocols like AirPlay. In addition, malicious actors can exploit these protocols after gaining access to the shared and sometimes insecure wireless networks in university dorms, hotels, senior homes, etc.

Wireless Personal Network (WPN) solves these challenges by segmenting the wireless network per-user basis and providing a home-like user experience. In addition, WPN provides a contained environment to each user where discovery protocols like AirPlay allow users to discover only their own devices connected to an SSID shared by other devices.

Even better, WPN allows for segmenting discovery protocols and unicast traffic on a single VLAN, thus, eliminating the burden of configuring different VLANs per floor, room, or location and simplifying network management.

WPN Under the Hood

WPN relies on using of the Identity PSK (iPSK) without RADIUS feature. Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their group.

WPN leverages Generic UDP Encapsulation (GUE) to separate wireless devices belonging to different iPSK groups by adding WPN IDs in GUE headers and forwarding packets between devices with identical WPN IDs.

When two wireless devices on the same VLAN using the same WPN ID are connected to different APs, the source AP adds the GUE encapsulation header with the WPN ID and sends the traffic to the LAN, where it’s being switched usually by the switching infrastructure. The destination AP removes the WPN tag by decapsulating the packet and forwards it to the wireless clients in the same iPSK group.

A WPN ID is added to all packets sent by wireless clients connected to the SSID with WPN enabled except packets destined for a default gateway. 

Supported Models and Firmware

The following access points support the WPN:

MR Family	MR Models	Minimum Firmware
Wi-Fi 6E	CW9162, CW9164, CW9166	MR 29.4.1 or newer
Wi-Fi 6 and Wi-Fi 6E (802.11ax)	MR45, MR55, MR28, MR36, MR36H, MR44, MR46, MR46E. MR56, MR76, MR86, MR57, MR78
Wi-Fi 5 Wave 2 (802.11ac Wave 2)	MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84

 

Caveats and Limitations

• WPN can only be enabled with iPSK without RADIUS as an authentication mechanism.

• 5,000 iPSK groups per SSID and 2x SSIDs with WPN enabled per dashboard network are supported.

• Wireless devices connected to a WPN-enabled SSID cannot communicate with wired devices on the same VLAN (L2 domain) except for the default gateway. 

• Wireless devices connected to a WPN-enabled SSID can communicate with wired devices on a different VLAN through L3 routing.

• Meraki AP assigned (NAT mode) is not supported on an SSID with WPN enabled. External DHCP server assigned mode must be used instead.

• Wired AP ports using port profiles do not support WPN.

Configuration

WPN relies on the use of Identity PSK (iPSK). Configuring a unique iPSK per user allows all of a user’s devices to authenticate to the SSID using the same password and communicate with each other inside their network segment.

To configure WPN, please follow these steps:

1. Navigate to Network-wide > Configure > Group policies and create at least one group. You can learn more about creating and applying group policies in this guide.

2. Navigate to Wireless > Configure > Access control.

3. Select the desired SSID from the dropdown menu at the top of the page.

 4. Select Identity PSK without RADIUS under Security and click on Add an Identity PSK.

 5. Configure a name and passphrase; select a group policy.

 6. Use the Add button to configure other iPSK groups as needed.

 7. Set Wi-Fi Personal Network (WPN) to Enabled

 8. Save changes on the bottom of the page.

User Onboarding

For large-scale deployments, user onboarding is typically done using a self-service portal (for example, Splash Access) that allows users to authenticate and create their unique PSKs pushed to the Meraki dashboard via APIs.