Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products

Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products

Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
2023-08-30 07:47:48 - last edited 2023-09-05 06:38:39

What Is PPSK

 

A private Pre-Shared Key (PPSK for short) is a security solution in which individual client devices can be managed without much complexity. With PPSK, each user is assigned a unique passphrase for authentication. Also, it allows the binding of a passphrase and the device MAC address(es), and thus only the specified device can be authenticated using the passphrase. In PPSK, you can create the PPSK list and apply them to multiple wireless networks, saving you from repeatedly setting up the same information.

 

Omada SDN Controller supports two types of PPSK, PPSK without RADIUS and PPSK with RADIUS.

 

PPSK without RADIUS: Just create PPSK profiles on Omada SDN Controller.
PPSK with RADIUS:

  • EAP works as a Network Access Server (NAS). You need to create clients in the RADIUS server to allow the EAPs to submit authentication requests.
  • When the client connects to the SSID, EAP uses the MAC address of the client (in the format "xx:xx:xx:xx:xx") as the RADIUS User and User-password, the submitted PPSK as the Tunnel-password and submits the information to the RADIUS server for authentication. Therefore, you need to create users in the RADIUS server in the appropriate format.

 

 

How to Configure The PPSK Function

 

Kind Notes:

(1) When 6GHz is turned on, Security cannot be PPSK with/without RADIUS since 6GHz does not suppport them, please uncheck the 6GHz box so that you can configure the security with PPSK.

(2) If the EAP doesn't support PPSK without RADIUS, there will be an issue characterized by client devices being unable to detect the SSID on either frequency band, as the EAP will not broadcast SSID with PPSK without RADIUS configuration. So please make sure the current firmware version of your EAPs supports PPSK without RADIUS.

 

1. Configuration Guide for PPSK without RADIUS.

 

First, create a new PPSK profile by Settings --> Profiles --> PPSK, name the profile, and add PPSKs manually, automatically, or by import. Please refer to the User Guide for more information about the PPSK profile.

 

The following figure creates a PPSK. The name “TP-Link” is used to identify the PPSK, while the passphrase “tplink123” is used for authentication when clients connect to Wi-Fi.

 

If you enter the MAC address for a PPSK, then only specific clients can use the passphrase for authentication. If you define the VLAN assignment, then the client will connect to the corresponding VLAN after authentication.

 

1,20220519100446k

 

After creating the PPSK profile, go to Settings --> Wireless Networks, create a new wireless network, and select PPSK without RADIUS and the PPSK profile.

 

2,20220519100506b

 

 

2. Configuration Guide for PPSK with RADIUS.

 

Step 1. Set up the RADIUS server.

 

Here we are running a FreeRADIUS® server on a Linux server. For more information on installation and configuration, please refer to the FreeRADIUS documentation.

First, edit the “clients.conf” file. Here we assume that the EAPs are located in the network 192.168.0.0/24, and the shared secret used for communication between the EAPs and the RADIUS server is “tplink”, then the “clients.conf” file is configured like this:

 

 

3,20220519100535b

 

Next, edit the “users” file. With the configuration shown below, three PPSK profiles are created.

 

4,20220519100558x

 

  • When the client with MAC address “xx:xx:xx:xx:xx:xx” submits PPSK “xxx_tplink”, it will be authenticated.

  • When the client with MAC address “yy:yy:yy:yy:yy:yy” submits PPSK “yyy_tplink”, it will be authenticated and connected to the network of VLAN 10.

  • When a client with an unknown MAC address submits the default password “default”, it will be authenticated and connected to the “Guest” network of VLAN 20.

 

 

Step 2. Create the RADIUS profile.

 

Go to Settings --> Authentication --> RADIUS Profile, and create a new profile bound to the RADIUS server. If necessary, note to check “Enable VLAN Assignment for Wireless Network”.

 

5,20220519100613f

 

 

Step 3. Create more interfaces for VLAN assignments (optional)

 

Go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.

 

6,20220519100630k

 

 

Step 4. Create a wireless network encrypted with PPSK with RADIUS

 

Go to SettingsWireless Networks and create the new wireless network shown below.

 

7,20220519100654l

 

The Original Firmware Version of EAPs that Supports PPSK

 

Supported:

 

Model No.

Version

original firmware version that supports PPSK

                                                                                            Ceiling Mount EAPs

EAP690E HD(EU)

1.0

Latest Firmware

EAP680

1.0

Latest Firmware

EAP670(EU/US)

1.0/1.6

EAP670(EU/US)_V1_1.0.6 Build 20220921

EAP660 HD (EU/US)

1.0/1.6

EAP660HD(EU)_V1_1.1.1 Build 20220118

EAP653(EU/US/CA/JP)

1.0/1.6

EAP653(EU/US/CA/JP)_V1_1.0.4 Build 20220921

EAP650(EU/US/CA/JP)

1.0/1.6

EAP650((EU/US/CA/JP))_V1_1.0.6 Build 20220921

EAP650

2.0/2.6

Latest Firmware

EAP620 HD(EU/US)

1.0/1.6

EAP620HD(EU&US)_V1_1.1.0_Build 20230303 (Beta)

EAP620 HD (EU/US/CA/JP)

2.0/2.6

EAP620 HD((EU/US/CA/JP)_V2_1.0.3 Build 20220325

EAP620 HD

3.0/3.6

Latest Firmware

EAP613(EU/US/JP)

1.0/1.6

EAP613(EU&US&JP)_V1_1.4.0_Build 20230718 (Beta)

EAP610(EU/US)

1.0/1.6

EAP610(EU/US)_V1_1.0.4 Build 20220325

EAP610(EU/US/CA/JP/EG)

2.0/2.6

EAP610(EU&US&CA&JP&EG)_V2_1.1.3_Build 20230814 (Beta)

EAP610(EU/US/CA/JP/EG)

3.0/3.6

EAP610(EU&US&CA&JP&EG)_V3_1.4.0_Build 20230718 (Beta)

EAP265 HD

1.0/1.6

EAP265HD(EU)_V1_5.0.5_Build 20220216

EAP245 (EU/US)

3.0/3.6

EAP245(EU/US)_V3_5.0.5 Build 20220216

EAP245 (CA)

3.0

EAP245(CA)_V3_5.0.5 Build 20220323 

EAP225 (EU/US)

3.0/3.2/3.6

EAP225(EU/US)_V3_5.0.8 Build 20220118

EAP225 (CA)

3.0

EAP225(CA)_V3_5.0.8 Build 20220225

EAP225(EU/US)

4.0

EAP225(EU/US)_V4_5.1.0 Build 20220926

EAP223(EU/US)

2.0

Latest Firmware

EAP115(EU/US)

4.0/4.6

EAP115(EU/US)_V4_5.0.4 Build 20220216

EAP110(EU/US)

4.0/4.6

EAP110(EU/US)_V4_5.0.4 Build 20220216

                                                                                              Outdoor EAPs

EAP650-Outdoor(US)

1.0

EAP650-Outdoor(US)_V1_1.0.4 Build 20230421

EAP610-Outdoor(EU/US/CA/JP)

1.0

EAP610-Outdoor(EU/US/CA/JP)_V1_1.1.3 Build 20230330

EAP225-Outdoor(EU/US)

1.0

EAP225-Outdoor(EU/US)_V1_5.0.8 Build 20220118

EAP225-Outdoor(EU/US)

3.0

EAP225-Outdoor(EU/US)_V3_5.1.0 Build 20220926

EAP110-Outdoor(EU/US)

3.0

EAP110-Outdoor(EU/US)_V3_5.0.4 Build 2022021

                                                                                             Wall Plate EAPs

EAP655-Wall(EU/US/CA/JP)

1.0/1.6

EAP655-WALL(EU&US&CA&JP)_V1_1.2.0_Build 20230717 (Beta)

EAP650-Wall(EU/US)

1.0

EAP650-WALL(EU/US)_V1_1.1.1_Build 20230814 (Beta)

EAP615-Wall(EU/US/CA/JP)

1.0/1.8/1.6

EAP615-Wall(EU/US/CA/JP)_V1_1.1.3 Build 20220921

EAP235-Wall(EU/US/CA/JP)

1.0

EAP235-Wall(EU/US/CA/JP)_V1_3.1.1 Build 20230414

EAP230-Wall(EU)

1.0

EAP230-Wall(EU)_V1_3.1.1 Build 20230414

EAP115-Wall(EU)

1.0

EAP115-Wall(EU)_V1_5.0.4 Build 20220216

 

 

Planned* :

 

Model No.

Version

                 Ceiling Mount EAPs

EAP670

2.0/2.6

EAP660 HD

2.0/2.6

EAP245

4.0

EAP225

5.0/5.6

EAP223(EU/US)

1.0

                         Outdoor EAPs

EAP113-Outdoor

1.0

 

Note:

1. Planned* : Kindly note that Planned is not a guarantee, as the plan can be adjusted or changed, and TP-Link reserves the right to update the list at any time without notifying the user.

2. The above list might not include all models and hardware versions. It is recommended to keep watching the firmware releases for your EAPs, as the PPSK will be listed in the patch notes if/when it is added to your version. Rest assured, we will keep the list constantly updated.

3. If you have a pre-sales consultation, we kindly request you to refer to the product SPEC/UG/CG/FW release notes and other publicly available materials first. This will help ensure that the feature you require is supported before making a purchase.

4. The original and subsequent versions of the firmware in the list above all support PPSK without RADIUS.

 

 

Recommended Threads

Current Available Solutions to Omada EAP Related Issues [Constantly Updated]

Essence Posts Summary (Newbie Must-See)

Experience the Latest Omada EAP Firmware - Trial Available Here, Subscribe for Updates!

How to Upgrade or Downgrade the Firmware of Omada EAPs

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  2      
  2      
#1
Options
4 Reply
Re:Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
2024-01-19 16:47:29

  @Hank21 Hi Hank. It appears you cannot use PPPSK with Radius on the EAP's using the built-in Radius server on OC200 Controller? It does not appear in drop-down, and you are prompted to create a new radius profile. Is that correct?

  0  
  0  
#2
Options
Re:Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
2024-01-22 03:07:39

Hi @Landfall2624

 

The built-in RADIUS server has been added from the Controller v5.12, which can be used for WPA-Enterprise, Portal RADIUS Server and 802.1X. So it is correct, please follow this article to create a new Radius profile.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
2024-02-08 23:01:46

  @Hank21 Is the PPSK support for EAP245v4 still on the agenda? Looking forward to this feature!smiley

  0  
  0  
#4
Options
Re:Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
2024-02-16 23:29:33

  @Hank21 

 

Can PPSK mode be configured in standalone mode?  That is, using freeradius in some other server (such as pfsense).

 

Thank you

  0  
  0  
#5
Options

Information

Helpful: 2

Views: 2273

Replies: 4