Klinik audiologi PPSK usm: comparing features and deployment models

Speak in British English with a confident, authoritative, and conversational tone, like a senior network consultant briefing a client in a boardroom. Measured pace, clear diction, occasional warmth. Not a lecture - a briefing: Welcome to the Purple Technical Briefing. Today we are covering PPSK WiFi in the context of healthcare and specialist clinic environments - specifically, what Private Pre-Shared Key authentication is, how it compares to the alternatives, and where it makes practical sense to deploy it. [medium pause] Let us start with the problem it solves. In a traditional WPA2 Personal network, every device on the network shares the same password. That is fine for a home. It is a liability for a multi-department healthcare facility, a university clinic, or a specialist audiology centre. When a member of staff leaves, you either change the password for everyone - breaking every other clinician's laptop, tablet, and diagnostic device in the process - or you leave the former employee with access. Neither option is acceptable from a governance standpoint. [short pause] PPSK solves this by giving each staff member, each department, or each device category its own unique WiFi key. They all connect to the same SSID - the same network name - but each key maps to a separate VLAN. The clinical staff are on VLAN 10. Patient and visitor WiFi is on VLAN 20. The audiometric equipment and medical IoT devices are on VLAN 99. The access point handles the key-to-VLAN mapping automatically. No RADIUS server required in the basic deployment model. No certificate infrastructure. No 802.1X supplicant on the device. [medium pause] Now let us talk about the terminology, because it varies by vendor and that causes genuine confusion. HPE Aruba calls it PPSK - Private Pre-Shared Key. Cisco Meraki calls it iPSK - Identity PSK. Juniper Mist uses ePSK. Extreme Networks, who originally developed the concept under the Aerohive brand, also call it Private PSK. Ubiquiti UniFi simply calls it PPSK. Cambium uses ePSK as well. The underlying mechanism is identical across all of them: one SSID, multiple unique keys, each key tied to a VLAN or a policy group. [short pause] Technically, here is what happens at the association layer. When a device connects, it presents its pre-shared key during the WPA2 four-way handshake. The access point - or the cloud controller behind it - looks up that key in the PPSK store, identifies which VLAN it maps to, and tags the device's traffic accordingly from that point forward. The device sees a normal WiFi connection. It has no idea it has been placed in an isolated segment. Its diagnostic software connects. Its hearing aid programmer pairs. Everything behaves as expected. [medium pause] This is the key distinction from 802.1X, which is the enterprise standard for staff networks and corporate environments. 802.1X requires a RADIUS server, an identity provider - Microsoft Entra ID, Okta, or Google Workspace - and a supplicant on every device. That supplicant is the software component that handles the EAP authentication exchange. Every managed laptop, every corporate phone, has one. Your clinic's audiometer does not. Your building management system does not. Your IoT sensors do not. PPSK works with all of them because it operates at the WPA Personal layer, not the WPA Enterprise layer. [short pause] That said, PPSK is not a replacement for 802.1X in environments where individual accountability is paramount. It is a different tool for a different problem. If you are running a staff network where you need to know that a specific clinician authenticated at a specific time, and you need to revoke their access the moment they leave the organisation, 802.1X is the right answer. If you are running a mixed environment where you need per-department isolation, IoT support, and operational simplicity at scale, PPSK is the right answer for the IoT and visitor segments. [medium pause] Let us look at the three primary deployment models in production today. [short pause] The first is the cloud-controller model, which is the most common for new deployments. Your access points - whether that is Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet - connect to a cloud management platform. The PPSK key store lives in the cloud controller. When you provision a new staff member or a new device category, you create a key in the portal, assign it to a VLAN, and the controller pushes the policy to every access point in the building. When someone leaves, you delete the key. Their devices stop connecting. Nobody else is affected. [short pause] The second deployment model is PPSK with a local RADIUS backend. Some enterprise deployments use a RADIUS server to store and validate PPSK credentials, which gives you centralised logging, audit trails, and integration with your identity management platform. This adds infrastructure overhead but gives you the accountability of 802.1X with the device compatibility of PPSK. It is the right model for mixed environments - say, a university health sciences facility where you have both managed clinical devices and student-owned equipment. [short pause] The third model is hybrid: PPSK for IoT and visitor segments, 802.1X for clinical staff and management systems. This is the architecture Purple recommends for healthcare and specialist clinic deployments. Clinical staff get 802.1X against Microsoft Entra ID or Okta. Patients and visitors get a captive portal on a separate SSID. Medical devices and building systems get PPSK on an isolated IoT VLAN. Three distinct authentication models, three distinct VLANs, one physical infrastructure. [medium pause] Now let us get into implementation specifics. Start with your logical design before you touch hardware. Map out your device categories: clinical staff devices, patient and visitor devices, medical IoT equipment, and building management systems. Assign VLANs. A typical clinic deployment looks like this: VLAN 10 for clinical staff, VLAN 20 for patient and visitor WiFi, VLAN 99 for medical IoT, VLAN 100 for building management. Document your IP addressing scheme. In a facility with 50 clinical staff and 200 connected devices, you need DHCP scopes sized appropriately per VLAN. [short pause] On hardware selection: PPSK is supported across all major enterprise access point platforms. One critical constraint to flag: Ubiquiti UniFi's PPSK implementation is WPA2 only as of mid-2025. If you are specifying WiFi 6E access points and want to use the 6 gigahertz band for PPSK clients, you will need a platform that supports WPA3-SAE with PPSK - Aruba, Ruckus, and Meraki all support this configuration. [medium pause] Now let us talk about the pitfalls. The first is SSID proliferation. Every SSID you broadcast consumes airtime for beacon frames. In a dense clinical environment, if you are broadcasting six or eight SSIDs per access point, you are degrading performance for everyone. Keep it to a maximum of four SSIDs per radio. Use PPSK to serve multiple device segments from a single SSID rather than creating a separate SSID per department. [short pause] The second pitfall is insufficient trunk port configuration. You design a clean VLAN scheme, deploy the access points, and then traffic silently drops because someone forgot to permit the relevant VLANs on a trunk link between the distribution switch and the access layer. Validate every trunk port during commissioning. Test it with a device on each VLAN before the facility goes live. [short pause] The third pitfall is key distribution. Generating keys is easy. Getting them to the right people in a secure and operationally manageable way is harder. For clinical staff, a welcome email with a QR code works well. For medical devices, pre-configure the keys during device commissioning. Build the key distribution workflow before you deploy, not after. [medium pause] Now for a rapid-fire question and answer on the topics that come up most often. [short pause] How many PPSK keys can a single access point handle? Most enterprise platforms support thousands of keys per SSID. Cisco Meraki supports up to 5,000 iPSK entries per network. Aruba supports similar scale. Ubiquiti UniFi supports up to 1,000 PPSK entries per network. For a clinic with 200 connected devices, you are well within limits on any platform. [short pause] Does PPSK satisfy healthcare data governance requirements? PPSK provides network-layer isolation between VLANs, which supports your segmentation requirements. However, it does not replace application-layer security, encryption of data in transit, or your broader information governance framework. You still need WPA2 or WPA3 encryption on the wireless link, TLS on clinical applications, and appropriate firewall rules between VLANs. [short pause] Can I integrate PPSK with my facility management system? Yes, through the vendor's API. Aruba Central, Meraki, Ruckus, and Mist all expose REST APIs for PPSK key management. You can automate key provisioning and revocation as part of your HR or facilities onboarding workflow. [medium pause] To summarise. PPSK sits between standard PSK and full 802.1X in the authentication spectrum. It gives you per-device isolation and VLAN assignment without the infrastructure overhead of a RADIUS server and certificate authority. For healthcare clinics, specialist facilities, and university health sciences environments, the recommended architecture is hybrid: 802.1X for managed clinical staff devices, PPSK for medical IoT and building systems, and a captive portal for patient and visitor WiFi. Purple's Multi-Tenant WiFi platform supports this architecture across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet hardware. [short pause] The next step is a network audit. Map your current device inventory, identify which devices cannot support 802.1X supplicants, and use that list to define your PPSK segments. That audit typically takes half a day and gives you everything you need to write the VLAN design. [medium pause] That is it for today's briefing. If you want to go deeper on any of these topics, the full technical reference guide is available on the Purple website. Thank you for listening.