PPSK without radius does not work, even with 1.1.1

PPSK without radius does not work, even with 1.1.1
PPSK without radius does not work, even with 1.1.1
2022-05-21 16:40:03 - last edited 2022-05-29 02:47:10
Model: EAP660 HD
Hardware Version: V1
Firmware Version: 1.1.1

I was told by a TP-Link employee (HERE on Reddit) that "PPSK only works in Beta Firmware that is not released yet" and then was linked to this thread HERE which is talking about 1.1.1 Beta, even though I stated I was using 1.1.1 that was released and the release notes for 1.1.1 state "4. Support PPSK function in Controller mode."

 

So does anyone actually have success with PPSK with or without radius?. because for me enabling PPSK without RADIUS causes nothing to be able to connect to the SSID.

0
0
#1
Options
1 Accepted Solution
Re:PPSK without radius does not work, even with 1.1.1-Solution
2022-06-10 06:55:54 - last edited 2022-06-10 06:56:00

Dear @shberge, @Napsterbater,

 

Napsterbater wrote

After some more testing.

 

PPSK + WPA3 (Including WPA2), WPA3 cabable client either do not connect, OR in a few cases such as a Windows Laptop and a Pixel 3a phone fall back to WPA2, other devices such as a iPhone Xr and Pixel 5a refuse to connect and do fall back.

 

PPSK + WPA2, all devices connect no issue.

 

Note some devices if they were first joined to the SSID when it was in WPA2 will connect back with WPA2, BUT if you "Forget" the SSID and re-set it up they will refuse to connect until it is switched back to WPA2.

 

Disabling PPSK and setting to WPA3 (+WPA2) all devices connect with WPA3.

 

Sorry for the delayed response. Here is an update for this case.

 

In fact, the WPA3 is incompatible with PPSK in terms of protocol. WPA3 encryption needs to know the key in authentication stage, but PPSK matches the key only in the fourth handshake, so it is normal that the WPA3 capable client cannot be associated with the SSID when using PPSK + WPA3. Besides, the PPSK should be mentioned as WPA/WPA2-PPSK, the PPSK authentication mechanism is similar to WPA2-PSK, but multiple authentication keys can be used.

 

To avoid further confusion and errors, the subsequent update of Omada Controller will remove the WPA3 option from PPSK security.

Get Started Here: https://community.tp-link.com/en/business/forum/topic/551684 https://community.tp-link.com/en/business/forum/topic/552406
Recommended Solution
0
0
#9
Options
9 Reply
Re:PPSK without radius does not work, even with 1.1.1
2022-05-21 18:44:23 - last edited 2022-05-21 18:46:20

  @Napsterbater 

 

yes have been using it for a while (PPSK Without radius), it has actually worked very well. I have it on EAP660HD and several other EAP, I have EU device.

 

I'm using this firmware on EAP660

https://static.tp-link.com/upload/firmware/2022/202205/20220507/EAP660HD(EU)_V1_1.1.1%20Build%2020220118.zip

 

 

 

0
0
#2
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-21 19:52:41

  @shberge 

 

What WPA settings are you using on that ssid?

 

I found one mention in the beta thread that mentioned they could not get it to work when WPA3 was set? 

 

Are you using WPA2 or WPA3? 

0
0
#3
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-21 20:06:57 - last edited 2022-05-21 20:20:59

  @Napsterbater 

 

I use WPA2 and no VLAN settings on SSID.

 

in fact, I've never had a problem with PPSK
it works on all of the devices

 

I do a test and enabled WPA3 and it connect but only WPA2

 

 

 

 

 

0
0
#4
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-22 13:59:54 - last edited 2022-06-10 07:06:49

  @shberge 

So I confirmed, the issues is with WPA3 + PPSK, that combination causes nothing to be able to connect, or at least nothing that is also WPA3 capable.

 

WPA2 + PPSK works fine.

2
2
#5
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-23 03:33:03

Dear @Napsterbater,

 

Napsterbater wrote

I was told by a TP-Link employee (HERE on Reddit) that "PPSK only works in Beta Firmware that is not released yet" and then was linked to this thread HERE which is talking about 1.1.1 Beta, even though I stated I was using 1.1.1 that was released and the release notes for 1.1.1 state "4. Support PPSK function in Controller mode."

 

EAP660 HD with official firmware 1.1.1 Build 20220118 Rel. 60852 has supported PPSK function in Controller mode.

 

I think I need to update this thread HERE and replace the Beta with the Official firmware.

Get Started Here: https://community.tp-link.com/en/business/forum/topic/551684 https://community.tp-link.com/en/business/forum/topic/552406
0
0
#6
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-23 09:05:52 - last edited 2022-06-10 07:06:19

Dear @Napsterbater,

 

Napsterbater wrote

So I confirmed, the issues is with WPA3 + PPSK, that combination causes nothing to be able to connect, or at least nothing that is also WPA3 capable.

 

WPA2 + PPSK works fine.

 

Our support engineer did a simple test in the lab, trying to reproduce the issue but failed.

Edit: the client used for the test is found not capable of WPA3, so it's associated with WPA2 and connected...

 

To address the issue, please allow me to confirm some information here. So if you use PPSK without RADIUS and configure WPA Mode with a mix of WPA2 and WPA3 as below, none of your clients will be able to connect to the SSID, while if you configure WPA Mode with WPA2 only, all your clients will connect and work. Is that right?

 

Are your clients all WPA3 capable, what are they?

Could you please tell us the brand/Model and OS for further investigation?

 

Get Started Here: https://community.tp-link.com/en/business/forum/topic/551684 https://community.tp-link.com/en/business/forum/topic/552406
0
0
#7
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-05-29 02:39:48

  @Fae

After some more testing.

 

PPSK + WPA3 (Including WPA2), WPA3 cabable client either do not connect, OR in a few cases such as a Windows Laptop and a Pixel 3a phone fall back to WPA2, other devices such as a iPhone Xr and Pixel 5a refuse to connect and do fall back.

 

PPSK + WPA2, all devices connect no issue.

 

Note some devices if they were first joined to the SSID when it was in WPA2 will connect back with WPA2, BUT if you "Forget" the SSID and re-set it up they will refuse to connect until it is switched back to WPA2.

 

Disabling PPSK and setting to WPA3 (+WPA2) all devices connect with WPA3.

0
0
#8
Options
Re:PPSK without radius does not work, even with 1.1.1-Solution
2022-06-10 06:55:54 - last edited 2022-06-10 06:56:00

Dear @shberge, @Napsterbater,

 

Napsterbater wrote

After some more testing.

 

PPSK + WPA3 (Including WPA2), WPA3 cabable client either do not connect, OR in a few cases such as a Windows Laptop and a Pixel 3a phone fall back to WPA2, other devices such as a iPhone Xr and Pixel 5a refuse to connect and do fall back.

 

PPSK + WPA2, all devices connect no issue.

 

Note some devices if they were first joined to the SSID when it was in WPA2 will connect back with WPA2, BUT if you "Forget" the SSID and re-set it up they will refuse to connect until it is switched back to WPA2.

 

Disabling PPSK and setting to WPA3 (+WPA2) all devices connect with WPA3.

 

Sorry for the delayed response. Here is an update for this case.

 

In fact, the WPA3 is incompatible with PPSK in terms of protocol. WPA3 encryption needs to know the key in authentication stage, but PPSK matches the key only in the fourth handshake, so it is normal that the WPA3 capable client cannot be associated with the SSID when using PPSK + WPA3. Besides, the PPSK should be mentioned as WPA/WPA2-PPSK, the PPSK authentication mechanism is similar to WPA2-PSK, but multiple authentication keys can be used.

 

To avoid further confusion and errors, the subsequent update of Omada Controller will remove the WPA3 option from PPSK security.

Get Started Here: https://community.tp-link.com/en/business/forum/topic/551684 https://community.tp-link.com/en/business/forum/topic/552406
Recommended Solution
0
0
#9
Options
Re:PPSK without radius does not work, even with 1.1.1
2022-06-12 15:56:27

  @Fae 

 

I have to find it incredible that the development of this feature went all the way to release and nobody realized that WPA3 would be incompatible with it.

 

That just makes me question TP-Links development process and competency.

 

Couple this with the fact that thier top of the line 660 HD cannot achieve more than 300 megabits per second with most clients including AX clients.

 

At this point after buying my first two Omada APs they're probably going to end up being my last two.

 

They were kind of a trial and well served their purpose. 

1
1
#10
Options
Related Articles