Uu PPSK: comparing features and deployment models

UU PPSK: Comparing Features and Deployment Models A Purple Technical Briefing Podcast Approximate runtime: 14 minutes Welcome to the Purple Technical Briefing. I'm going to walk you through one of the most important decisions you'll make when designing WiFi for a multi-tenant residential or commercial property: which pre-shared key model to deploy. And specifically, we're going to focus on UU PPSK, which stands for Unique per-User Pre-Shared Key, and why it's become the architecture of choice for Build to Rent operators, student accommodation providers, and MDU landlords across the UK. Let's start with the problem. If you're a property developer or landlord, you're managing a building where dozens or hundreds of separate households share the same physical network infrastructure. You need each resident to have a private, home-like WiFi experience. Their Chromecast needs to find their phone. Their smart speaker needs to talk to their bulbs. And critically, none of that should be visible to the resident in the flat next door. The traditional answer to this was either a shared password, which is a security disaster at scale, or a full 802.1X enterprise deployment, which requires a Public Key Infrastructure, certificate management, and a RADIUS server that most property operators simply don't have the IT resource to run. Neither of those options is right for a 200-unit BTR block. That's where PPSK comes in. PPSK stands for Private Pre-Shared Key. The concept is straightforward: instead of one shared WiFi password for the whole building, each resident gets their own unique passphrase. They connect to the same SSID, the same network name, but their key is theirs alone. If they move out, you revoke their key. It has zero effect on any other resident. Now, there are actually three distinct models here, and understanding the difference between them is critical to making the right architectural decision. The first model is a standard shared PSK. One password, everyone on the same network. This is what most buildings still run today. It's simple to deploy, but it's a single point of failure. One resident shares the password on a forum, and you've lost control of your network. You want to remove a contractor's access? You have to change the password for everyone. At scale, this is simply not manageable. The second model is Group PPSK. Here, you assign a unique key to each group of users, perhaps one key per floor, or one key per tenancy type. It's better than a shared password, but it still has a blast radius problem. If one key in a group is compromised, the entire group is affected. And you still can't isolate individual residents from each other at the network layer. The third model, and the one we're focusing on today, is UU PPSK, Unique per-User Pre-Shared Key, also called iPSK by Cisco, DPSK by Ruckus, and MPSK by HPE Aruba. The terminology varies by vendor, but the concept is identical. Every single resident, every single device group, gets its own cryptographically unique key. And that key maps to its own VLAN, its own network segment, completely isolated from every other resident in the building. This is the architecture that delivers what I call the WiFi bubble. Resident A's devices can see each other, they can cast, they can pair, they can share files, exactly as they would on a home network. But Resident A cannot see a single device belonging to Resident B, even though they're both connected to the same access point, on the same SSID, using the same physical cable infrastructure. Let me walk you through the technical authentication flow, because this is where the magic happens. When a resident's device connects to the SSID, the Wireless LAN Controller intercepts the connection attempt and forwards the device's MAC address to a RADIUS server. The RADIUS server, which can be cloud-hosted, as Purple's is, looks up that MAC address in its identity store. It returns an Access-Accept response containing the unique pre-shared key assigned to that resident. The controller validates the key the device presented against the returned key. If they match, the device is authenticated and placed on the resident's dedicated VLAN. Critically, that RADIUS response also carries the VLAN assignment. So the device doesn't just get authenticated. It gets automatically placed on the correct network segment, with the correct bandwidth policy, the correct firewall rules, all from a single SSID. No SSID proliferation. No beacon overhead. One network name, hundreds of isolated private networks underneath it. Now, a word on MAC address randomisation, because this is the pitfall that catches most deployments out. Since iOS 14, Android 10, and Windows 11, devices use randomised MAC addresses by default for privacy reasons. If your RADIUS server is doing a MAC lookup and the device presents a randomised address, the lookup fails and the device can't connect. The solution is to configure your SSID to request that clients use their permanent hardware MAC address, or to implement a pre-registration workflow where residents register their device before connecting. Purple's platform handles this automatically as part of the resident onboarding flow. Let's talk about deployment models, because UU PPSK can be deployed in three distinct ways, and the right choice depends on your building size, your IT resource, and your budget. The first is controller-local PPSK. Here, the unique keys are stored directly on the wireless controller, with no external RADIUS server required. This works well for smaller deployments, up to around 200 units, and it's the simplest to operate. Ubiquiti UniFi supports this natively. The limitation is scalability. Most controllers cap out at a few hundred local PPSK entries, and you lose the centralised lifecycle management that makes UU PPSK operationally viable at scale. The second model is RADIUS-backed PPSK. Here, the keys are stored in an external RADIUS server, and the controller queries the RADIUS server for every new connection. This scales to thousands of units. TP-Link Omada supports up to 4,000 PPSKs with an external RADIUS server. Ruckus SmartZone, HPE Aruba ClearPass, and Cisco ISE all support this model. The operational overhead is higher, but the scalability and the lifecycle management capabilities are significantly better. The third model, and the one Purple recommends for BTR and MDU operators, is cloud RADIUS-as-a-Service. Here, the RADIUS infrastructure is hosted and managed by Purple, and you connect your access points to it via a cloud overlay. This gives you the scalability of RADIUS-backed PPSK without the operational overhead of running your own RADIUS server. Purple's platform sits on top of your existing hardware, whether that's Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet, and provides the orchestration layer for key provisioning, lifecycle management, and resident onboarding. The key lifecycle is fully automated. A resident moves in, their key is provisioned via the property management system integration. They move out, their key is revoked instantly, with no impact on any other resident. No manual intervention, no security gaps, no password rotation drama. Let me give you two concrete deployment scenarios to bring this to life. The first is a 250-unit Build to Rent development. The developer had specified Cisco Meraki access points throughout the building. They needed each resident to have a private WiFi experience with full IoT support, same-day move-in readiness, and the ability to support 15 to 25 devices per household. The average BTR household now connects 18 devices to WiFi, from phones and laptops to smart speakers, streaming sticks, and connected appliances. The architecture deployed was a single SSID across the building, with UU PPSK via Purple's cloud RADIUS service. Each resident received a unique key at move-in, delivered via the resident app. The key mapped to a dedicated VLAN with a private subnet, giving each household a fully isolated network segment. mDNS reflection was enabled within each VLAN, so Chromecast, Apple TV, and Sonos all worked as expected. The building went live with 250 active resident VLANs on day one, with zero manual RADIUS configuration required by the on-site team. The second scenario is a 400-bed purpose-built student accommodation block. The challenge here is the annual cohort turnover. Every August, 400 students move out and 400 new students move in, often within the same week. With a shared PSK model, that means a building-wide password rotation affecting every returning resident. With UU PPSK, it means revoking 400 keys and provisioning 400 new ones, all automated via the student management system integration. The deployment used Ruckus SmartZone with DPSK, backed by Purple's RADIUS service. Each student received their unique key via email during pre-arrival registration. The key was valid for the duration of their tenancy and expired automatically on their contract end date. The operations team reported a 70% reduction in WiFi-related support tickets in the first term, primarily because the Chromecast and smart TV pairing issues that had plagued the previous shared PSK deployment were completely eliminated. Now let me cover the compliance angle, because this matters for property operators in ways that are sometimes underappreciated. GDPR requires that you can demonstrate accountability for data processing. In a WiFi context, that means being able to identify which resident generated which network traffic, and being able to respond to a subject access request or a law enforcement request with accurate, resident-specific data. With a shared PSK, that's impossible. Every device on the network looks identical from the RADIUS server's perspective. With UU PPSK, every connection is tied to a specific resident key, which is tied to a specific tenancy record. Your audit trail is complete. Let me give you three practical rules of thumb before we move to the rapid-fire questions. Rule one: if your building has more than 50 units, use RADIUS-backed UU PPSK, not controller-local PPSK. The scalability ceiling of controller-local PPSK will cause you problems within 12 months of go-live. Rule two: plan for MAC randomisation from day one. Build a pre-registration workflow into your resident onboarding process. Don't assume devices will present their permanent MAC address by default. Rule three: automate the key lifecycle. The operational value of UU PPSK over a shared PSK is entirely dependent on keys being provisioned and revoked automatically. Manual key management at scale is not viable. Integrate with your property management system or student management system from the outset. Right, let's do a rapid-fire round on the questions I get asked most often. Does UU PPSK work with WPA3? Yes, with caveats. WPA3-SAE changes the handshake mechanism. Most modern controllers support UU PPSK in WPA2 and WPA3 transition mode for backward compatibility. Check your vendor's specific documentation before specifying a pure WPA3 deployment. How many unique keys can a single SSID support? This depends on your controller platform. With an external RADIUS server, the practical limit is your RADIUS database capacity. Purple's cloud RADIUS service scales to tens of thousands of concurrent keys. Is UU PPSK a replacement for 802.1X? No. For fully managed corporate device fleets with MDM-enrolled endpoints and certificate infrastructure already in place, WPA3-Enterprise with 802.1X is the stronger security posture. UU PPSK is the right tool for environments where you don't control the devices connecting to your network, which is exactly the situation in BTR, student accommodation, and MDU deployments. What hardware does it run on? Purple's cloud overlay supports Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet. You don't need to replace your existing access points. To bring this together: UU PPSK is the authentication architecture that makes multi-tenant WiFi operationally viable at residential scale. It delivers per-resident network isolation, full IoT support, automated key lifecycle management, and a GDPR-compliant audit trail, all from a single SSID on your existing hardware. The three deployment models, controller-local, RADIUS-backed, and cloud RADIUS-as-a-Service, suit different building sizes and IT resource levels. For anything above 50 units, cloud RADIUS-as-a-Service is the right choice. It eliminates the operational overhead of running your own RADIUS infrastructure while giving you the scalability and lifecycle management capabilities you need. Purple's Multi-Tenant WiFi platform provides exactly this. Founded in 2012, we run across 80,000 live venues, and our platform has processed 440 million logins in 2024 alone. We're ISO 27001 certified, GDPR compliant, and hardware-agnostic. If you're planning a BTR, student accommodation, or MDU deployment and want to understand how UU PPSK fits your specific architecture, the guides linked in this briefing are a good starting point. Thanks for listening. Until next time.