PPSK Configuration Guide

A private Pre-Shared Key (PPSK for short) is a security solution in which individual client devices can be managed without much complexity.

With PPSK, each user is assigned a unique passphrase for authentication. Also, it allows the binding of a passphrase and the device MAC address(es), and thus only the specified device can be authenticated using the passphrase.

In PPSK, you can create the PPSK list and apply them to multiple wireless networks, saving you from repeatedly setting up the same information.

1. Introduction to PPSK.

Omada SDN Controller supports two types of PPSK, PPSK without RADIUS and PPSK with RADIUS.

• PPSK without RADIUS: Just create PPSK profiles on Omada SDN Controller.
• PPSK with RADIUS:
  • EAP works as a Network Access Server (NAS). You need to create clients in the RADIUS server to allow the EAPs to submit authentication requests.
  • When the client connects to the SSID, EAP uses the MAC address of the client (in the format "xx:xx:xx:xx:xx") as the RADIUS User and User-password, the submitted PPSK as the Tunnel-password and submits the information to the RADIUS server for authentication. Therefore, you need to create users in the RADIUS server in the appropriate format.

2. Configuration Guide for PPSK without RADIUS.

First, create a new PPSK profile by Settings --> Profiles --> PPSK, name the profile, and add PPSKs manually, automatically, or by import. Please refer to the User Guide for more information about the PPSK profile.

The following figure creates a PPSK. The name “TP-Link” is used to identify the PPSK, while the passphrase “tplink123” is used for authentication when clients connect to Wi-Fi

If you enter the MAC address for a PPSK, then only specific clients can use the passphrase for authentication. If you define the VLAN assignment, then the client will connect to the corresponding VLAN after authentication.

After creating the PPSK profile, go to Settings --> Wireless Networks, create a new wireless network, and select PPSK without RADIUS and the PPSK profile.

3. Configuration Guide for PPSK with RADIUS.

Step 1. Set up the RADIUS server.

Here we are running a FreeRADIUS^® server on a Linux server. For more information on installation and configuration, please refer to the FreeRADIUS documentation.

First, edit the “clients.conf” file. Here we assume that the EAPs are located in the network 192.168.0.0/24, and the shared secret used for communication between the EAPs and the RADIUS server is “tplink”, then the “clients.conf” file is configured like this:

Next, edit the “users” file. With the configuration shown below, three PPSK profiles are created.

• When the client with MAC address “xx:xx:xx:xx:xx:xx” submits PPSK “xxx_tplink”, it will be authenticated.
• When the client with MAC address “yy:yy:yy:yy:yy:yy” submits PPSK “yyy_tplink”, it will be authenticated and connected to the network of VLAN 10.
• When a client with an unknown MAC address submits the default password “default”, it will be authenticated and connected to the “Guest” network of VLAN 20.

Step 2. Create the RADIUS profile.

Go to Settings --> Authentication --> RADIUS Profile, and create a new profile bound to the RADIUS server. If necessary, note to check “Enable VLAN Assignment for Wireless Network”.

Step 3. Create more interfaces for VLAN assignments (optional)

Go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.

Step 4. Create a wireless network encrypted with PPSK with RADIUS

Go to Settings – Wireless Networks and create the new wireless network shown below.