Knowledge Base Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
Knowledge Base Getting To Know PPSK (Private Pre-Shared Key) of Omada EAP Products
What Is PPSK
A private Pre-Shared Key (PPSK for short) is a security solution in which individual client devices can be managed without much complexity. With PPSK, each user is assigned a unique passphrase for authentication. Also, it allows the binding of a passphrase and the device MAC address(es), and thus only the specified device can be authenticated using the passphrase. In PPSK, you can create the PPSK list and apply them to multiple wireless networks, saving you from repeatedly setting up the same information.
Omada SDN Controller supports two types of PPSK, PPSK without RADIUS and PPSK with RADIUS.
PPSK without RADIUS: Just create PPSK profiles on Omada SDN Controller.
PPSK with RADIUS:
- EAP works as a Network Access Server (NAS). You need to create clients in the RADIUS server to allow the EAPs to submit authentication requests.
- When the client connects to the SSID, EAP uses the MAC address of the client (in the format "xx:xx:xx:xx:xx") as the RADIUS User and User-password, the submitted PPSK as the Tunnel-password and submits the information to the RADIUS server for authentication. Therefore, you need to create users in the RADIUS server in the appropriate format.
How to Configure The PPSK Function
Kind Notes:
(1) When 6GHz is turned on, Security cannot be PPSK with/without RADIUS since 6GHz does not suppport them, please uncheck the 6GHz box so that you can configure the security with PPSK.
(2) If the EAP doesn't support PPSK without RADIUS, there will be an issue characterized by client devices being unable to detect the SSID on either frequency band, as the EAP will not broadcast SSID with PPSK without RADIUS configuration. So please make sure the current firmware version of your EAPs supports PPSK without RADIUS.
1. Configuration Guide for PPSK without RADIUS.
First, create a new PPSK profile by Settings --> Profiles --> PPSK, name the profile, and add PPSKs manually, automatically, or by import. Please refer to the User Guide for more information about the PPSK profile.
The following figure creates a PPSK. The name “TP-Link” is used to identify the PPSK, while the passphrase “tplink123” is used for authentication when clients connect to Wi-Fi.
If you enter the MAC address for a PPSK, then only specific clients can use the passphrase for authentication. If you define the VLAN assignment, then the client will connect to the corresponding VLAN after authentication.
After creating the PPSK profile, go to Settings --> Wireless Networks, create a new wireless network, and select PPSK without RADIUS and the PPSK profile.
2. Configuration Guide for PPSK with RADIUS.
Step 1. Set up the RADIUS server.
Here we are running a FreeRADIUS® server on a Linux server. For more information on installation and configuration, please refer to the FreeRADIUS documentation.
First, edit the “clients.conf” file. Here we assume that the EAPs are located in the network 192.168.0.0/24, and the shared secret used for communication between the EAPs and the RADIUS server is “tplink”, then the “clients.conf” file is configured like this:
Next, edit the “users” file. With the configuration shown below, three PPSK profiles are created.
-
When the client with MAC address “xx:xx:xx:xx:xx:xx” submits PPSK “xxx_tplink”, it will be authenticated.
-
When the client with MAC address “yy:yy:yy:yy:yy:yy” submits PPSK “yyy_tplink”, it will be authenticated and connected to the network of VLAN 10.
-
When a client with an unknown MAC address submits the default password “default”, it will be authenticated and connected to the “Guest” network of VLAN 20.
Step 2. Create the RADIUS profile.
Go to Settings --> Authentication --> RADIUS Profile, and create a new profile bound to the RADIUS server. If necessary, note to check “Enable VLAN Assignment for Wireless Network”.
Step 3. Create more interfaces for VLAN assignments (optional)
Go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.
Step 4. Create a wireless network encrypted with PPSK with RADIUS
Go to Settings – Wireless Networks and create the new wireless network shown below.
The Original Firmware Version of EAPs that Supports PPSK
Supported:
Model No. |
Version |
original firmware version that supports PPSK |
Ceiling Mount EAPs |
||
EAP690E HD(EU) |
1.0 |
Latest Firmware |
EAP680 |
1.0 |
Latest Firmware |
EAP670(EU/US) |
1.0/1.6 |
|
EAP660 HD (EU/US) |
1.0/1.6 |
|
EAP653(EU/US/CA/JP) |
1.0/1.6 |
|
EAP650(EU/US/CA/JP) |
1.0/1.6 |
|
EAP650 |
2.0/2.6 |
Latest Firmware |
EAP620 HD(EU/US) |
1.0/1.6 |
|
EAP620 HD (EU/US/CA/JP) |
2.0/2.6 |
|
EAP620 HD |
3.0/3.6 |
Latest Firmware |
EAP613(EU/US/JP) |
1.0/1.6 |
|
EAP610(EU/US) |
1.0/1.6 |
|
EAP610(EU/US/CA/JP/EG) |
2.0/2.6 |
|
EAP610(EU/US/CA/JP/EG) |
3.0/3.6 |
|
EAP265 HD |
1.0/1.6 |
|
EAP245 (EU/US) |
3.0/3.6 |
|
EAP245 (CA) |
3.0 |
|
EAP225 (EU/US) |
3.0/3.2/3.6 |
|
EAP225 (CA) |
3.0 |
|
EAP225(EU/US) |
4.0 |
|
EAP223(EU/US) |
2.0 |
Latest Firmware |
EAP115(EU/US) |
4.0/4.6 |
|
EAP110(EU/US) |
4.0/4.6 |
|
Outdoor EAPs |
||
EAP650-Outdoor(US) |
1.0 |
|
EAP610-Outdoor(EU/US/CA/JP) |
1.0 |
|
EAP225-Outdoor(EU/US) |
1.0 |
|
EAP225-Outdoor(EU/US) |
3.0 |
|
EAP110-Outdoor(EU/US) |
3.0 |
|
Wall Plate EAPs |
||
EAP655-Wall(EU/US/CA/JP) |
1.0/1.6 |
|
EAP650-Wall(EU/US) |
1.0 |
|
EAP615-Wall(EU/US/CA/JP) |
1.0/1.8/1.6 |
|
EAP235-Wall(EU/US/CA/JP) |
1.0 |
|
EAP230-Wall(EU) |
1.0 |
|
EAP115-Wall(EU) |
1.0 |
Planned* :
Model No. |
Version |
Ceiling Mount EAPs |
|
EAP670 |
2.0/2.6 |
EAP660 HD |
2.0/2.6 |
EAP245 |
4.0 |
EAP225 |
5.0/5.6 |
EAP223(EU/US) |
1.0 |
Outdoor EAPs |
|
EAP113-Outdoor |
1.0 |
Note:
1. Planned* : Kindly note that Planned is not a guarantee, as the plan can be adjusted or changed, and TP-Link reserves the right to update the list at any time without notifying the user.
2. The above list might not include all models and hardware versions. It is recommended to keep watching the firmware releases for your EAPs, as the PPSK will be listed in the patch notes if/when it is added to your version. Rest assured, we will keep the list constantly updated.
3. If you have a pre-sales consultation, we kindly request you to refer to the product SPEC/UG/CG/FW release notes and other publicly available materials first. This will help ensure that the feature you require is supported before making a purchase.
4. The original and subsequent versions of the firmware in the list above all support PPSK without RADIUS.
Recommended Threads
Current Available Solutions to Omada EAP Related Issues [Constantly Updated]
Essence Posts Summary (Newbie Must-See)
Experience the Latest Omada EAP Firmware - Trial Available Here, Subscribe for Updates!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Do you manage the EAP using the Omada Controller? You can upgrade the firmware via the cloud. The current firmware that is compatible with the V5.9 Controller or above supports PPSK.
- Copy Link
- Report Inappropriate Content
Hi @Hank21,
Thank you for getting back to me so promptly.
Yes, I do manage the EAPs using the Cloud Controller. I have already checked the EAP firmware on the cloud controller and it seems to be already updated to the latest version at 1.2.1 for EAP225 v5.0, but I do have other EAPs of the same model but they tend to have an older hardware version which currently supports PPSK. It's just that the v5.0 doesn't appear to support PPSK at the moment and I think you have put this down as planned to roll out in the near future?
The Cloud Controller firmware version I use currently is at 5.14.26.40, which does have PPSK features but it could not apply to the hardware model as I have explained above.
Many thanks,
Ben
- Copy Link
- Report Inappropriate Content
Don't worry, we're planning to release updated firmware that supports PPSK. I cannot provide a precise publication date, but it is expected to be published in the near future.
- Copy Link
- Report Inappropriate Content
@Hank21 Did the EAP670 V2 ever get PPSK? Am looking to get some 670s to replace my home APs, but I'll be using PPSK for my VLANs, and that would kill that plan. Thanks.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 7590
Replies: 14