Kepanjangan iPSK: a comprehensive guide for businesses

Welcome to the Purple technical briefing series. Today we are covering iPSK - Identity Pre-Shared Key - what it actually stands for, how it works under the hood, and why it matters if you are a property developer, landlord, or BTR operator deploying WiFi across a multi-tenant building. [medium pause] Let us start with the basics. iPSK stands for Identity Pre-Shared Key. The full term in Indonesian and Malay-speaking markets is "kepanjangan iPSK" - which simply means "iPSK abbreviation" or "what iPSK stands for." If you have landed on this guide because you searched that phrase, you are in the right place. We are going to cover the full picture - the technology, the architecture, and the practical deployment decisions you need to make this quarter. [medium pause] So. What is iPSK, and why does it exist? Traditional WiFi networks use a single pre-shared key - one password for everyone on the same SSID. That works fine in a home. It falls apart the moment you have hundreds of households sharing the same infrastructure. If one resident shares the password with someone who should not have it, you have to reset the password for every single resident in the building. That is operationally painful, and it breaks every smart device, every Chromecast, every smart speaker in the building simultaneously. iPSK solves this by issuing a unique WiFi password to each resident - or each household - while keeping them all on a single SSID. The access point intercepts the connection attempt, sends the device's MAC address to a RADIUS server, and the RADIUS server responds with the correct passphrase for that specific device. The access point then uses that passphrase to complete the WPA2 handshake. From the resident's perspective, they just typed in their WiFi password. From the network's perspective, they have been authenticated, isolated, and assigned to their own private network segment. [medium pause] Let us talk about the vendor terminology, because this trips people up. Cisco Meraki calls it WPN - WiFi Personal Network. HPE Aruba calls it PPSK - Private Pre-Shared Key. Ruckus uses the term DPSK - Dynamic Pre-Shared Key. Juniper Mist supports it natively. The underlying concept is identical across all four platforms. Purple's Multi-Tenant WiFi runs as a cloud overlay on top of all of them - Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme Networks, and Fortinet. You do not need to replace your hardware to deploy iPSK. [medium pause] Now let us get into the architecture. There are three components in an iPSK deployment. First, the access points - these are your physical hardware, whatever you have installed. Second, a RADIUS server - this is the authentication engine that holds the mapping between MAC addresses and passphrases. Third, a management layer - something that provisions keys at move-in, revokes them at move-out, and handles self-service for residents who need to add a new device. Purple provides the second and third components as a cloud service. We act as the RADIUS-as-a-Service layer, and we provide the resident-facing portal for key management. You bring the access points. [medium pause] When a resident connects a new device, here is what happens in sequence. The device sends an association request to the SSID. The access point forwards the device's MAC address to the Purple RADIUS server. Purple looks up the MAC address, finds the resident's assigned passphrase, and returns it as a Cisco AV-pair in the RADIUS Access-Accept response. The access point uses that passphrase to complete the WPA2 four-way handshake. The device is connected. The entire process takes under two hundred milliseconds. If the device's MAC address is not in the system - say, a new device the resident has not registered yet - the RADIUS server returns an Access-Reject. The device cannot connect until the resident registers it through the self-service portal. [medium pause] This brings us to VLAN assignment. One of the most powerful features of iPSK with RADIUS is dynamic VLAN tagging. The RADIUS server does not just return the passphrase - it can also return a VLAN ID in the same response. This means every resident's traffic lands in its own VLAN automatically, without any manual switch configuration. Resident A's traffic goes to VLAN 101. Resident B's traffic goes to VLAN 102. The building management network sits on VLAN 10. IoT devices - smart locks, thermostats, sensors - can be placed on a dedicated IoT VLAN with restricted internet access and no lateral movement to resident segments. This is the architecture that makes iPSK genuinely enterprise-grade, rather than just a convenience feature. Let us look at a real deployment scenario. A 200-unit Build to Rent development in Manchester. The developer specified Cisco Meraki access points - one per apartment, plus hallway units for roaming. Purple was deployed as the RADIUS and management layer. At move-in, each resident receives a QR code via email. They scan it, and all their devices connect automatically. No IT helpdesk call. No password sheet. The resident's key is tied to their tenancy record in the property management system. When they move out, the key is revoked in Purple's dashboard. Their devices stop connecting. No other resident is affected. The result: support tickets related to WiFi dropped by over 60% compared to the previous building the developer managed, which used a shared password model. Move-in day WiFi activation went from a two-hour process to under five minutes per resident. [medium pause] Second scenario. A 450-bed purpose-built student accommodation block. The challenge here is density - fifteen to twenty-five devices per room, and a cohort move-in week in September where three hundred students arrive simultaneously. With a traditional shared-password model, the support desk is overwhelmed. With iPSK, each student receives their key during the pre-arrival onboarding flow. They arrive, scan the QR code, and they are connected. The RADIUS server handles the authentication load automatically. Purple's infrastructure runs at 99.999% uptime - that is the SLA we publish and stand behind. [medium pause] Now, implementation pitfalls. There are three that come up repeatedly. First: MAC address randomisation. Modern iOS and Android devices randomise their MAC address by default when scanning for networks. This breaks MAC-based RADIUS lookups because the device presents a different MAC each time it probes. The fix is to use per-network stable MAC addresses - iOS 14 and Android 10 both support this. You need to communicate this to residents during onboarding. Purple's resident portal handles this with clear instructions. Second: IoT device onboarding. Smart home devices - thermostats, smart locks, Zigbee hubs - often cannot display a QR code or enter a passphrase through a standard flow. The solution is a dedicated IoT SSID with a separate iPSK pool, or a provisioning flow where the resident registers the device's MAC address through the portal before connecting it. Purple supports both approaches. Third: RADIUS server availability. If your RADIUS server goes down, new device connections fail. Existing connected devices stay connected because the WPA2 session is already established, but new associations will not complete. This is why Purple's RADIUS-as-a-Service runs on redundant infrastructure with that 99.999% uptime guarantee. Do not run iPSK on a single on-premises RADIUS server without a failover. [medium pause] Let us close with the business case, because this is ultimately what matters to a property developer or landlord. WiFi-as-amenity carries a measurable rent premium in the BTR sector. Research from the British Property Federation puts this at fifteen to thirty pounds per unit per month. Across a 200-unit building, that is between thirty-six thousand and seventy-two thousand pounds of additional annual revenue. Void periods are shorter when move-in WiFi is ready on day one - typically five to ten days shorter per void, according to sector benchmarks. And the cost of deploying iPSK as a software overlay on existing hardware is significantly lower than per-unit broadband contracts, which typically capture the value for the ISP rather than the operator. The operational case is equally strong. One key per resident means one revocation at move-out. No building-wide password resets. No support tickets from residents whose Chromecast stopped working because someone else's device is on the same subnet. The network behaves like a private home network for each resident, while the operator manages everything from a single cloud dashboard. [medium pause] Quick-fire questions before we wrap up. Does iPSK work with WPA3? Not yet in the standard implementation - WPA3 uses SAE, which changes the handshake mechanism. Most vendors are working on WPA3-compatible iPSK, but as of mid-2025, WPA2 is the production-ready standard for iPSK deployments. Can I run iPSK without a RADIUS server? Cisco Meraki supports up to 5,000 iPSKs without RADIUS in firmware MR 30.1 and above. For smaller deployments this is viable. For anything above a hundred units, RADIUS gives you the automation, the VLAN assignment, and the lifecycle management you need. How many keys can a RADIUS-based iPSK deployment support? Effectively unlimited - the limit is your RADIUS server's database, not the protocol. Purple has deployed iPSK across buildings with over a thousand units without performance issues. [medium pause] To summarise. iPSK - Identity Pre-Shared Key - gives each resident a unique WiFi credential on a shared SSID. The RADIUS server handles authentication, passphrase delivery, and VLAN assignment in a single round trip. Purple provides the RADIUS-as-a-Service layer and the resident management portal, running on Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet hardware. If you are planning a BTR, student accommodation, or MDU deployment and want to see how iPSK fits your specific building, speak to the Purple team. We have deployed this across 80,000 venues and 350 million unique users. We know what works. Thanks for listening.