Uu PPSK hukumonline: comparing features and deployment models

Welcome to the Purple Technical Briefing. Today we're covering PPSK WiFi - Private Pre-Shared Key - what it is, how it compares to the alternatives, and where it actually makes sense to deploy it. Let's start with the problem it solves. In a traditional WPA2 Personal network, every device on the network shares the same password. That's fine for a home. It's a liability for a 200-unit Build to Rent development, a student accommodation block, or a hotel with 300 rooms. When one resident moves out, you either change the password for everyone - breaking every other resident's smart TV, thermostat, and console in the process - or you leave the old resident with access. Neither option is acceptable. PPSK solves this by giving each resident, each flat, or each device group its own unique WiFi key. They all connect to the same SSID - the same network name - but each key maps to a separate VLAN. Flat 12 is on VLAN 10. Flat 13 is on VLAN 20. The IoT devices are on VLAN 99. The access point handles the key-to-VLAN mapping automatically. No RADIUS server required. No certificate infrastructure. No 802.1X supplicant on the device. Now let's talk about the terminology, because it varies by vendor and that causes genuine confusion in the market. Aruba calls it PPSK - Private Pre-Shared Key. Cisco Meraki calls it iPSK - Identity PSK. Juniper Mist uses ePSK. Extreme Networks, who originally developed the concept under the Aerohive brand, call it Private PSK. Ubiquiti UniFi simply calls it PPSK. Cambium also uses ePSK. The underlying mechanism is identical across all of them: one SSID, multiple unique keys, each key tied to a VLAN or a policy group. Technically, here's what happens at the association layer. When a device connects, it presents its pre-shared key during the WPA2 four-way handshake. The access point - or the cloud controller behind it - looks up that key in the PPSK store, identifies which VLAN it maps to, and tags the device's traffic accordingly. The device sees a normal WiFi connection. It has no idea it's been placed in an isolated segment. Its Chromecast works. Its smart speaker pairs. Its console gets the right NAT type. Everything behaves like a home network - because from the device's perspective, it is. This is the key distinction from 802.1X, which is the enterprise standard for staff networks and corporate environments. 802.1X requires a RADIUS server, an identity provider - Microsoft Entra ID, Okta, or Google Workspace - and a supplicant on every device. That supplicant is the software component that handles the EAP authentication exchange. Every managed laptop, every corporate phone, has one. Your resident's smart fridge does not. Your building's HVAC controller does not. Your IoT sensors do not. PPSK works with all of them because it operates at the WPA Personal layer, not the WPA Enterprise layer. That said, PPSK is not a replacement for 802.1X in corporate environments. It's a different tool for a different problem. If you're running a staff network where individual accountability matters - 802.1X is the right answer. If you're running a residential network where you need per-household isolation, IoT support, and operational simplicity at scale, PPSK is the right answer. Let's look at the deployment models. There are three primary patterns in production today. The first is the cloud-controller model, which is the most common for new deployments. Your access points - whether that's Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet - connect to a cloud management platform. The PPSK key store lives in the cloud controller. When you provision a new resident, you create a key in the portal, assign it to a VLAN, and the controller pushes the policy to every access point in the building. The resident gets their key via email, SMS, or a QR code in a welcome pack, and connects. When they move out, you delete the key. Their devices stop connecting. Nobody else is affected. The second model is PPSK with a local RADIUS backend. Some enterprise deployments use a RADIUS server to store and validate PPSK credentials, which gives you centralised logging, audit trails, and integration with your identity management platform. This adds infrastructure overhead but gives you the accountability of 802.1X with the device compatibility of PPSK. The third model is hybrid: PPSK for residents and IoT, 802.1X for staff and management systems. This is the architecture Purple recommends for Build to Rent and multi-dwelling unit deployments. Residents get PPSK. Building management systems, CCTV, and access control get their own IoT VLAN with PPSK. The property management team's devices use 802.1X against Microsoft Entra ID or Okta. Three distinct authentication models, three distinct VLANs, one physical infrastructure. Now let's get into implementation. Start with your logical design before you touch hardware. Map out your resident count, your IoT device categories, and any staff or management systems. Assign VLANs. A typical BTR deployment looks like this: VLAN 10 through to whatever your unit count requires for residents, one VLAN per flat or one VLAN per floor depending on your density. VLAN 99 for IoT. VLAN 100 for building management. VLAN 200 for guest WiFi in common areas. In a 200-unit building, you're looking at 3,000 to 5,000 devices on the network at any given time. That's the 15 to 25 devices per household figure from British Property Federation research. Your DHCP scopes need to accommodate that. Use RFC 1918 private addressing with sufficient subnet sizes per VLAN. A slash 24 gives you 254 usable addresses. A slash 23 gives you 510. Size accordingly. On hardware selection: PPSK is supported across all major enterprise access point platforms. Cisco Meraki calls it iPSK and manages it through the Meraki dashboard. HPE Aruba implements it natively in ArubaOS and Aruba Central. Ruckus supports it through SmartZone. Juniper Mist uses ePSK with AI-driven RF management. Ubiquiti UniFi has had PPSK since 2023, though it's currently WPA2 only. Aruba, Ruckus, and Meraki all support PPSK on WPA3 configurations. Now the pitfalls. The first is SSID proliferation. Every SSID you broadcast consumes airtime for beacon frames. Keep it to a maximum of four SSIDs per radio. Use PPSK to serve multiple resident segments from a single SSID rather than creating a separate SSID per flat. The second pitfall is insufficient trunk port configuration. You design a clean VLAN scheme, deploy the access points, and then traffic silently drops because someone forgot to permit the relevant VLANs on a trunk link. Validate every trunk port during commissioning. Test it with a device on each VLAN before residents move in. The third pitfall is key distribution. Generating keys is easy. Getting them to residents securely is harder. A QR code in the welcome pack works well for move-in day. A resident portal is better for ongoing operations. Build the key distribution workflow before you deploy, not after. Now for rapid-fire questions. How many PPSK keys can a single access point handle? Cisco Meraki supports up to 5,000 iPSK entries per network. Aruba supports similar scale. Ubiquiti UniFi supports up to 1,000 PPSK entries per network. For a 200-unit building, you're well within limits on any platform. Does PPSK work with WPA3? Yes, on most enterprise platforms. WPA3-SAE provides stronger protection against offline dictionary attacks. The exception is UniFi, which is currently WPA2 only for PPSK. Can I integrate PPSK with my property management system? Yes, through the vendor's API. Purple's Multi-Tenant WiFi platform sits as a cloud overlay on top of your existing hardware and handles key provisioning, VLAN assignment, and resident onboarding through a single dashboard - with integrations into property management platforms for automated move-in and move-out workflows. To summarise. PPSK is the right authentication model for multi-tenant residential environments, student accommodation, and IoT-heavy deployments where device compatibility matters more than certificate-based identity. It delivers per-household network isolation, supports every device type, and scales to thousands of keys without RADIUS infrastructure. The hybrid model - PPSK for residents, 802.1X for staff - gives you the best of both worlds on a single physical network. The three things to get right from day one are: your VLAN design, your key distribution workflow, and your trunk port configuration. Get those three right, and the rest follows. For more on Purple's Multi-Tenant WiFi platform and how it handles PPSK provisioning at scale, visit purple dot ai. Thank you for listening.