- Use automatically generated PPSKs (the tradeoff is that you can't pick the passphrase as it is automatically created for you).
- Create a User Manager Operator administrator account that allows grants access to the guest PPSKs and the guest SSID.
- Give the HelpDesk staff access to the newly created User Manager Operator account.
The PSKs are automatically generated, but they are not automatically created. The issue with auto-creation is that the keys are created for 1,7,and 30 days. auto creation will create one for 1,7, and 30 days and then when it is over, create another one. I don't want to have to give a federal auditor a key that only lasts for 4 days and then have to give them a new one for the remaining 3 because thy showed up in the middle of a week instead of on a Sunday. Yes, I know I can just delete a key and it will auto create another one, but then that makes management of the PSKs nearly impossible without logging in everyday. Thank you for your quick response, it appears that I can either auto create keys and not have to update APs but lose manageability or manually create auto generated keys and have to give helpdesk staff more rights. Thank you again for your help.
Private PSK Start Time
The date/time to create the first rotation of Private PSKs.
Private PSK Lifetime
How long each rotation of Private PSKs are valid for.
Private PSK Rotation Interval
How often to create a new rotation of Private PSKs.
Private PSK Rotations
How many rotations of Private PSKs to create.
Private PSK Users to Create per Rotation
How many unique Private PSKs to create each rotation.
So in the example above 50 Private PSKs are created every seven days that are valid for seven days. This will occur 53 times (53 x 7 days [rotation interval] is approximately one year). I suspect that this how your Private PSKs were configured when you had the issue with users needing two Private PSKs as their seven days starting in the middle of one rotation and finished in the middle of the next rotation.
If we change the definition to the one above then 20 Private PSKs are created every day that are valid for seven days. This will occur 365 times (365 x 1 day [rotation interval] is one year). This will give you Private PSKs that are valid for one week but have a new rotation each day. So on Monday a rotation of Private PSKs will be created that are valid from Monday to Sunday. On Tuesday a rotation of Private PSKs will be created that are valid from Tuesday to the Monday of the week following. On Wednesday a rotation of Private PSKs will be created that are valid from Wednesday to the Tuesday of the week following. This should hopefully resolve your issue.
Note that I dropped the number of Private PSKs created per rotation as each access point only supports a limited number of Private PSKs (the AP330, for example, support just under 10,000 off the top of my head) but as you have more rotations you shouldn't need as many Private PSKs per rotation.
Thank you for your reply. I understand what you are saying, but that still doesn't resolve the issue of management. True, I will get x number of PSKs created everyday and then after 7 they will start disabling or deleting themselves, but that is kind of like creating 30 AD accounts with expiration dates and letting them sit there until they are needed or they expire. It seems like a waste of resources to me. From a management standpoint, it doesn't make much sense. It does however provide a solution to my problem. Again, thank you very much for your quick responses.
It is worth noting that PPSKs are not recommended for corporate LAN access as 802.1X should be utilised.
The reason we chose PPSK and not RADIUS is because we didn't want users logging in with personal devices onto the corporate network, and with PPSK we can limit the number of devices that can be registered with each PSK.