PPSK and mobile devices
I'm happy to see the PPSK feature on the recent Omada controller and AP firmware. I set up a simple SSID with two PPSK entries and was able to connect fine with a laptop, but an iPhone and iPad are unable to connect at all, with an association timeout error being reported on the controller. Switching back to standard PSK mode allows them to connect fine.
Are there any known compatibility issues with the PPSK feature?
EDIT: After disabling PPSK it seems some devices are still able to use one of the old PPSK keys to connect to the AP (though does not seem to get an IP or pass traffic). It seems like the PPSK feature still has some work to be done before it is production ready.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@TLnet Interesting, I did not notice this function before I saw your post. I just had my iPhone test the PPSK.
The first time when iPhone connects to PPSK SSID, it shows this wifi does not have Internet. However if I open Safari and other APPs they work well, so the Internet is actually working. I did not see this alert on my Android phone.
And once I change security to WPA-PSK, the iPhone disconnect the wifi immediately. So I did not see the same issue you faced.
My controller is version V5.3.1
I suspect your issue is related to wireless channels, you may create a 5Ghz only SSID and enable PPSK on it, and test your Apple devices again
- Copy Link
- Report Inappropriate Content
I have used PPSK from the day it came, I have Ipad several AppleTV Android device computers and 30-40 IoT device of different quality and types. but have never had problems, I also have EAP660HD, EAP620HDv1 EAP225-Outdoor and EAP245v3, it works well on all these EAPs.
I'm still using beta on EAP620 but now it's the official release on the other EAPs
This is also so simple that it is almost impossible to misconfigure.
- Copy Link
- Report Inappropriate Content
TLnet wrote
I'm happy to see the PPSK feature on the recent Omada controller and AP firmware. I set up a simple SSID with two PPSK entries and was able to connect fine with a laptop, but an iPhone and iPad are unable to connect at all, with an association timeout error being reported on the controller. Switching back to standard PSK mode allows them to connect fine.
Are there any known compatibility issues with the PPSK feature?
EDIT: After disabling PPSK it seems some devices are still able to use one of the old PPSK keys to connect to the AP (though does not seem to get an IP or pass traffic). It seems like the PPSK feature still has some work to be done before it is production ready.
Dear @TLnet
Thank you for your valued feedback!
For further troubleshooting, could you please share us a topology graph of your whole network?(so we can know how you connect the EAP/Switch/Gateway etc.)
If your client devices are using password the same as PPSK settings MAC binded password? Or you just have PPSK passphrase without MAC binded?
If necessary, I will escalate your case to our support department. They may ask you for config backup file.
- Copy Link
- Report Inappropriate Content
I was using PPSK without radius, two different keys, no MAC binding but each with a different VLAN assignment.
Network topology:
VLAN 10 - AP and Omada controller attached to this VLAN in untagged mode.
VLAN 100 - AP port attached in tagged mode, used for one of the PPSK keys + Main SSID.
VLAN 101 - AP port attached in tagged mode, used for one of the PPSK keys.
VLAN 200 - AP port attached in tagged mode, used for Guest SSID.
SSIDs:
Guest - SSID with regular WPA-PSK, guest mode enabled, VLAN 200, key ExampleGuestKey
Main - SSID with regular WPA-PSK, VLAN 100 key ExampleMainKey
I wanted to enable PPSK on Main SSID, so I created PPSK profile with two keys and switched the mode to PPSK no radius mode. One device was connected to Main at the time, but I wanted this device on a different VLAN without having to create a separate SSID for it, hence the decision to try PPSK.
PPSK Keys Created:
ExampleMainKey - same key as the Main SSID was originally using with VLAN 100 assigned. Using same key was intended so clients don't have to reconfigure their devices.
ExampleSingleKey - a new key for the single device which I wanted on VLAN 101, VLAN 101 assigned.
During setup, once I switched Main SSID to PPSK mode, the single device reconnected to the Main SSID n VLAN 100 as expected. Then I reconfigured the single device to use the ExampleSingleKey passphrase and it successfully connected to VLAN 101, so everything looked good so far.
Then I had reports from users that their mobile devices are no longer connecting to Main SSID using ExampleMainKey. So I reverted the setup back to WPA-PSK, keeping the same ExampleMainKey passphrase on Main SSID, and their devices started working again. I then knew I had to reconfigure the single device and move it to its own SSID to get it back on VLAN 101, however to my surprise it was still connected to the AP even though ExampleSingleKey should not have been possible to use any more since it only existed as a PPSK key. Though, it was not passing traffic, and was still able to reconnect even after kicking it.
Either way, some strange behavior going on with PPSK mode for me. Unfortunately nothing of interest seemed to be in the controller log, but perhaps there are other logs I could check? I don't think I can experiment any more unfortunately, this is all done remotely so I don't want to risk disrupting users any further.
- Copy Link
- Report Inappropriate Content
When you move to PPSK do you change VLAN settings on SSID?
I have no VLAN setting on SSID only on PPSK profile settings.
- Copy Link
- Report Inappropriate Content
Dear @TLnet,
TLnet wrote
SSIDs:
Guest - SSID with regular WPA-PSK, guest mode enabled, VLAN 200, key ExampleGuestKey
Main - SSID with regular WPA-PSK, VLAN 100 key ExampleMainKey
To confirm, did you configure WPA Mode with a mix of WPA2 and WPA3 as below?
I noticed in this post that the PPSK not working issue is with WPA3 + PPSK, while with WPA2 + PPSK it works fine.
- Copy Link
- Report Inappropriate Content
We are successfullt using the PPSK to handle user access in MDU scenario with bulk WiFi.
In Cusna.io we manage autoatmically the PPSK lifecycle assigning to each resident an idnividual PPSK on a dedicated VLAN in order to have them connected to all their home smart devices.
The operator only has to activat the resident without worrying at all about the IT configuration.
Residents, via their portal, can also change the PPSK at any time for increase security, in case the susbpect someone guess their PSK and entered in their network.
https://cusna.io
Looking forward to havign your feedbacks.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1981
Replies: 7
Voters 0
No one has voted for it yet.