One SSID, Multiple PSKs = Multiple Roles

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hey all! This is a config question, for now, but if this doesn't exist, I'd love for it to be a feature.

I would like to set up my APs with a special corporate SSID, say "CompanyX", and use multiple methods of authentication, each tying to a specific role. For example:

802.1X/RADIUS - "Corporate" - full access to network
PSK 1 - "Mobile Full" - access to most resources (via ACLs on the APs)
PSK 2 - "Mobile Lite" - access to some specific resources (via ACLs on the APs)
PSK 3 - "Special App" - access to one specific server/app (via ACLs on the APs)

Based on what I've read, I'm not sure if you can put multiple PSKs on the same SSID; is this true? If so, I'd love if you could in a future release...for now, I can deal with deploying multiple SSIDs for each role.
Photo of Kellen Christensen

Kellen Christensen

  • 6 Posts
  • 2 Reply Likes
  • geeky

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 958 Posts
  • 269 Reply Likes
Each SSID cannot have two or more types of authentication but you can have multiple Private PSK Groups mapped to a single SSID as they are a single authentication type.

Therefore you need two SSIDs - one for the 802.1X and one for the Private PSKs. When you create the Private PSK Groups (one for each of the three user types you listed) give each one a unique user profile attribute and when you create the user profiles use the same unique user profile attributes. For example:

"Mobile Full" - User Profile Attribute 100
"Mobile Lite" - User Profile Attribute 110
"Special App" - User Profile Attribute 120

When a user authenticates with a Private PSK from the "Mobile Full" Private PSK Group it will match the "Mobile Full" user profile as the user profile attribute is the same - 100. In the "Mobile Full" user profile you can create unique QoS, firewall and rate limiting settings for the "Mobile Full" users.
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
I use a similar setup to this at home in order to manage guests and devices which don't support 802.1x.

SSID#1 = 802.1x for clients that support it.

I then have a few PPSK groups...
PPSK1 = Guest (restricted access to internet and printer)
PPSK2 = Printer (limited ports, any IP)
PPSK3 = Multimedia devices (Audio/Video streamers, restricted to internet and mediaserver:ports)

Another neat thing about using PPSK like this is that you can roll passwords gracefully. If something happens where you want to change a PSK, you can have two PPSKs up - one with the old and one with the new - so all clients maintain connectivity during the transition instead of all getting kicked off once you change it.