iPSK ff: a comprehensive guide for businesses

Executive summary

For Build-to-Rent (BTR) operators, property developers, and multi-dwelling unit (MDU) landlords, WiFi is no longer a nice-to-have amenity. It is the utility residents evaluate before they sign a lease. Traditional approaches fail at scale: shared PSK networks expose one resident's devices to every neighbour, 802.1X Enterprise authentication blocks the smart home devices residents rely on, and a physical router in every unit creates severe radio frequency (RF) interference that degrades speeds for the whole building.

Identity PSK (iPSK) resolves all three problems. It issues a unique WiFi passphrase to every household on a single building-wide network. Each passphrase maps to an isolated VLAN, creating a private WiFi bubble per resident. Devices within the bubble discover each other - phones cast to TVs, consoles connect to the internet, smart speakers respond to voice commands - while remaining completely invisible to neighbours. Purple delivers this as a hardware-agnostic cloud overlay, running on Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet access points. The result is a £15-30 per unit per month rent premium, five to ten day shorter void periods, and a 30-50% reduction in per-door connectivity costs compared to individual broadband contracts (Purple internal data, 2025).

Technical deep-dive

What iPSK actually does

iPSK (Identity Pre-Shared Key) - known as MPSK by HPE Aruba, DPSK by Ruckus, and ePSK by Cambium and Juniper Mist - allows a single SSID to accept thousands of different passphrases simultaneously. Each passphrase is unique to a resident or household. The network uses that passphrase as an identity signal, not just a door key.

When a resident's device connects, the access point (AP) does not simply check whether the password is correct. It forwards the authentication request to a RADIUS (Remote Authentication Dial-In User Service) server. The RADIUS server validates the passphrase against the resident's profile and returns an Access-Accept message containing specific policy attributes - most importantly, the VLAN ID assigned to that resident. The AP then tags all traffic from that device with the correct VLAN, placing it inside the resident's isolated network segment.

This dynamic VLAN assignment is the mechanism that creates the per-resident WiFi bubble. Resident A's phone, laptop, and smart TV all share the same VLAN and can communicate freely using multicast and broadcast protocols (mDNS for AirPlay and Chromecast, SSDP for DLNA). Resident B's devices sit in a completely separate VLAN and are invisible to Resident A, even though both households share the same physical access points.

Why 802.1X does not work for residential

IEEE 802.1X is the gold standard for enterprise network authentication. It requires each device to present a username and password or a digital certificate to a RADIUS server via an EAP (Extensible Authentication Protocol) exchange. The problem in residential environments is device compatibility. Smart bulbs, voice assistants, gaming consoles, and most IoT sensors do not include an 802.1X supplicant. They cannot participate in an EAP exchange. Forcing 802.1X on a residential network means residents cannot connect their smart home devices, generating a flood of support calls and significant resident dissatisfaction.

iPSK uses WPA2-Personal or WPA3-Personal at the client level, which every consumer device supports. The enterprise-grade identity logic runs entirely on the backend between the AP and the RADIUS server, invisible to the connecting device.

Authentication flow in detail

The sequence below describes what happens from the moment a resident's device connects:

1. The device broadcasts a probe request and associates with the SSID.
2. The device sends its passphrase during the WPA2/WPA3 four-way handshake.
3. The AP intercepts the passphrase and constructs a RADIUS Access-Request, including the device MAC address and the passphrase as a Cisco AV-Pair attribute (psk-mode and psk-password).
4. The cloud RADIUS server (Purple's RADIUS-as-a-Service) validates the passphrase against the resident database.
5. On success, the RADIUS server returns an Access-Accept with the VLAN ID, QoS policy, and bandwidth profile for that resident.
6. The AP assigns the device to the specified VLAN and completes the association.
7. The device receives an IP address from the DHCP scope for that VLAN and is online within its isolated segment.

The entire sequence completes in under 500 milliseconds and is transparent to the resident.

Vendor implementation notes

The core concept is standardised, but vendor implementations differ in naming and attribute handling. Cisco Meraki uses the psk-mode and psk-password Cisco AV-Pairs. HPE Aruba ClearPass uses its own MPSK attribute set. Ruckus SmartZone supports DPSK natively without a RADIUS server for smaller deployments, though RADIUS integration is recommended for any estate above 50 units. Purple's cloud RADIUS layer abstracts these differences, presenting a single management interface regardless of the underlying hardware.

Implementation guide

Step 1: Subnet and VLAN design

In a high-density BTR environment, plan for 15 to 25 devices per unit. A standard /24 subnet (254 usable addresses) will quickly exhaust its DHCP pool in a building with more than ten units. Use /20 or /21 subnets for your client VLANs. Ensure your DHCP lease times are configured appropriately - typically eight to 12 hours for residential, but shorter for transient guest environments such as hotels or serviced apartments.

Design a separate VLAN for building management IoT devices (door entry systems, CCTV, HVAC sensors). This keeps operational infrastructure isolated from resident traffic and simplifies security auditing.

Step 2: Access point placement and RF planning

Remove individual unit routers before deploying managed APs. Place enterprise-grade APs in corridors, communal areas, and plant rooms to provide coverage without penetrating into individual units. Use a professional RF survey to determine AP density. For a typical residential building with standard concrete construction, one AP per two to four units is a reasonable starting point, but always validate with a site survey.

Configure APs to prioritise 5GHz and 6GHz bands. Reserve 2.4GHz for legacy IoT devices that cannot connect on higher bands. Enable band steering to push capable devices to the faster bands automatically.

Step 3: Automating key lifecycle management

Do not manage keys manually. Integrate your Property Management System (PMS) or Identity Provider (IdP) with your RADIUS infrastructure. When a new lease is signed, the system should automatically generate a unique iPSK and email it to the resident. When they move out, the key must be revoked instantly. Purple's platform acts as this orchestration layer, integrating with Microsoft Entra ID, Okta, and Google Workspace, as well as leading PMS platforms. This automation eliminates the manual overhead that makes large-scale iPSK deployments operationally unviable without the right tooling.

Step 4: Handling MAC address randomisation

Modern operating systems use MAC address randomisation by default for privacy reasons. iOS 14 and later, Android 10 and later, and Windows 11 all randomise the MAC address when connecting to new networks. Because iPSK relies on MAC addresses for identity lookup in some implementations, a randomised MAC can cause authentication failures or prevent VLAN assignment.

The recommended mitigation is to configure your onboarding portal to instruct residents to disable "Private Address" (iOS) or "Randomised MAC" (Android) for the building's SSID. Alternatively, implement a pre-registration workflow where the resident authenticates via a web portal on first connection, binding their device's current MAC address to their profile. Purple's self-service portal handles this automatically.

Step 5: Self-service device management

Residents add new devices regularly. Provide a self-service portal or app where residents can register new MAC addresses, view connected devices, and reset their passphrase without contacting building management. Purple's resident portal handles this, reducing support tickets by up to 60% compared to manually managed networks (Purple internal data, 2025).

Best practices

To maximise the effectiveness of your iPSK deployment, follow these industry-standard recommendations:

Enforce Layer 2 isolation at the SSID level. Configure peer-to-peer blocking on the SSID, overriding it only for devices within the same assigned VLAN. This ensures the PAN functions correctly and prevents cross-resident traffic at the wireless layer, not just at the routing layer.

Design for RADIUS redundancy. Your network is only as reliable as your RADIUS infrastructure. Deploy primary and secondary RADIUS servers across different availability zones or data centres. Configure the WLC with appropriate failover timers - typically three to five seconds before switching to the secondary server.

Monitor RF health continuously. Even with fewer APs than a router-per-unit design, monitor channel utilisation and co-channel interference. Use the built-in RF analytics in Cisco Meraki, HPE Aruba Central, or Juniper Mist AI to detect and resolve interference automatically.

Align with GDPR and data protection standards. iPSK itself is a network authentication mechanism, not a data collection tool. However, the identity data you store in your RADIUS database (resident names, email addresses, device MAC addresses) is personal data under GDPR. Ensure your data retention policies, consent mechanisms, and data processing agreements are in place before go-live. Purple is GDPR, CCPA, ISO 27001, and Cyber Essentials certified.

Test your IoT device fleet before go-live. Most IoT devices work correctly with iPSK, but some older devices have quirks around the WPA2-PSK handshake. Run a pre-deployment compatibility test, particularly for any bespoke or legacy hardware such as older access control systems or building management sensors.

For a broader view of how to structure your network across guest, staff, and IoT traffic, see our guide on Three SSIDs to rule them all: guest, Passpoint, and IoT WiFi .

Troubleshooting and risk mitigation

Authentication timeouts

If the RADIUS server is slow to respond, the WLC may drop the client before the handshake completes. Monitor RADIUS response latency and ensure it remains below 200ms. If you are using a cloud RADIUS service, verify WAN uplink stability and configure local RADIUS caching where the hardware supports it.

DHCP exhaustion

If devices connect but fail to receive an IP address, your subnet is too small or lease times are too long. Monitor DHCP pool utilisation and expand the scope before it reaches 80% capacity. In a 200-unit building with 25 devices per unit, you need a minimum of 5,000 available addresses - a /19 subnet provides 8,190 usable addresses and gives you headroom for growth.

Roaming issues

In a multi-AP environment, ensure 802.11k (neighbour reports), 802.11v (BSS transition management), and 802.11r (fast BSS transition) are enabled to assist client roaming. If a device drops its connection when moving between APs, verify that the VLAN exists and is trunked correctly across all switches and access points. A common mistake is configuring the VLAN on the WLC but forgetting to add it to the trunk port on the distribution switch.

MAC randomisation causing authentication failures

If residents report intermittent disconnections, particularly after their device has been idle, MAC randomisation is the most likely cause. Check your RADIUS logs for Access-Reject messages from unknown MAC addresses. Implement the pre-registration workflow described in Step 4 of the implementation guide.

ROI and business impact

Deploying iPSK transforms WiFi from a sunk cost into a strategic asset for BTR operators and property developers.

Rent premium. Managed WiFi as an included amenity supports a rent premium of £15-30 per unit per month in the UK BTR market (Purple internal data, 2025). On a 200-unit development, that represents £36,000-£72,000 of additional annual revenue.

Reduced void periods. The "Instant-On" experience - where a resident receives their unique key before move-in day and is online the moment they arrive - reduces void periods by five to ten days. At an average monthly rent of £1,500 per unit, that is £250-£500 per void avoided.

Lower hardware costs. Removing individual routers from 200 units eliminates the capital cost of 200 consumer devices (typically £50-£100 each) and the ongoing support overhead of managing them. Enterprise APs placed in corridors cost more per unit but cover multiple flats, reducing the total device count significantly.

Reduced support overhead. Automated key provisioning and revocation, combined with self-service device management, reduces WiFi-related support tickets by up to 60% (Purple internal data, 2025). For a property management team handling 500 units, that represents a meaningful reduction in operational cost.

Analytics and data. Purple's WiFi Analytics platform provides insight into network utilisation, peak usage times, and device density per floor. This data informs decisions about AP placement, bandwidth provisioning, and future infrastructure investment.

For more on how Purple's Guest WiFi platform supports multi-tenant deployments, including the full feature set for resident onboarding and lifecycle management, visit our dedicated product pages.

For related reading on PPSK deployment models and how they compare to iPSK across different vendor implementations, see our guide on PPSK usm kubang kerian: comparing features and deployment models .