Nama ff iPSK ind: a comprehensive guide for businesses

Executive summary

For Build-to-Rent (BTR) operators, property developers, and MDU landlords, WiFi is no longer a nice-to-have amenity. It is the utility residents evaluate before they sign a lease. Traditional approaches fail at scale: shared PSK networks expose one resident's devices to every neighbour, 802.1X Enterprise authentication blocks the smart home devices residents rely on, and a physical router in every unit creates severe radio frequency (RF) interference that degrades speeds for the whole building.

Identity PSK (iPSK) resolves all three problems. It issues a unique WiFi passphrase to every household on a single building-wide network. Each passphrase maps to an isolated VLAN, creating a private "WiFi bubble" per resident. Devices within the bubble discover each other - phones cast to TVs, consoles connect to the internet, smart speakers respond to voice commands - while remaining completely invisible to neighbours. Purple delivers this as a hardware-agnostic cloud overlay, running on Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet access points you already own. The result is a £15-30 per unit per month rent premium, 5-10 day shorter void periods, and a 30-50% reduction in per-door connectivity costs compared to individual broadband contracts.

Technical deep-dive

What iPSK actually does

iPSK (Identity Pre-Shared Key) - known as PPSK by HPE Aruba, Personal Private Network by Cisco Meraki, and ePSK by Cambium and Juniper Mist - allows a single SSID to accept thousands of different passphrases simultaneously. Each passphrase is unique to a resident or household. The network uses that passphrase as an identity signal, not just a door key.

When a resident's device connects, the access point (AP) does not simply check whether the password is correct. It forwards the authentication request to a RADIUS (Remote Authentication Dial-In User Service) server. The RADIUS server validates the passphrase against the resident's profile and returns an Access-Accept message containing specific policy attributes - most importantly, the VLAN ID assigned to that resident. The AP then tags all traffic from that device with the correct VLAN, placing it inside the resident's isolated network segment.

This dynamic VLAN assignment is the mechanism that creates the per-resident WiFi bubble. Resident A's phone, laptop, and smart TV all share the same VLAN and can communicate freely using multicast and broadcast protocols (mDNS for AirPlay and Chromecast, SSDP for DLNA). Resident B's devices sit in a completely separate VLAN and are invisible to Resident A, even though both households share the same physical access points.

Why 802.1X does not work for residential

IEEE 802.1X is the gold standard for enterprise network authentication. It requires each device to present a username and password or a digital certificate to a RADIUS server via an EAP (Extensible Authentication Protocol) exchange. The problem in residential environments is device compatibility. Smart bulbs, voice assistants, gaming consoles, and most IoT sensors do not include an 802.1X supplicant. They cannot participate in an EAP exchange. Forcing 802.1X on a residential network means residents cannot connect their smart home devices, generating a flood of support calls and significant resident dissatisfaction.

iPSK uses WPA2-Personal or WPA3-Personal at the client level, which every consumer device supports. The enterprise-grade identity logic runs entirely on the backend between the AP and the RADIUS server, invisible to the connecting device.

Authentication flow in detail

The sequence below describes what happens from the moment a resident's device connects:

1. The device broadcasts a probe request and associates with the SSID.
2. The device sends its passphrase during the WPA2/WPA3 four-way handshake.
3. The AP intercepts the passphrase and constructs a RADIUS Access-Request, including the device MAC address and the passphrase as a Cisco AV-Pair attribute (psk-mode and psk-password).
4. The cloud RADIUS server (Purple's RADIUS-as-a-Service) validates the passphrase against the resident database.
5. On success, the RADIUS server returns an Access-Accept with the VLAN ID, QoS policy, and bandwidth profile for that resident.
6. The AP assigns the device to the specified VLAN and completes the association.
7. The device receives an IP address from the DHCP scope for that VLAN and is online within its isolated segment.

The entire sequence completes in under 500 milliseconds and is transparent to the resident.

Vendor implementation notes

The core concept is standardised, but vendor implementations differ in terminology and configuration:

Purple's cloud RADIUS layer abstracts these vendor differences, presenting a single management interface regardless of the underlying hardware.

Implementation guide

Step 1: Network segmentation and IP addressing

High-density residential networks demand careful subnet planning. A typical household connects 15-25 devices. A 200-unit building can host 3,000-5,000 concurrent devices at peak. A standard /24 subnet provides 254 usable IP addresses - insufficient for even a single floor.

Use /20 or /21 subnets for client VLANs. A /20 provides 4,094 usable addresses; a /21 provides 2,046. Assign a dedicated management VLAN for your network infrastructure, a separate VLAN for building IoT systems (access control, CCTV, HVAC), and individual resident VLANs handled dynamically by the RADIUS server.

Enable client isolation between VLANs at the AP level, but ensure intra-VLAN communication is permitted so that devices within the same resident's bubble can communicate freely.

Step 2: RADIUS-as-a-Service integration

Purple's cloud RADIUS eliminates the need to deploy and maintain on-premises RADIUS infrastructure. Configure your APs to point to Purple's RADIUS endpoints (primary and secondary for redundancy). Purple operates at 99.999% uptime, ensuring authentication availability even during maintenance windows.

For properties using Microsoft Entra ID or Okta as their identity provider, Purple integrates via SCIM (System for Cross-domain Identity Management) to synchronise resident profiles automatically. This means when a resident is added or removed in your identity provider, their iPSK is provisioned or revoked without manual intervention.

Step 3: Automating the tenant lifecycle

The operational efficiency of iPSK depends on integration with your Property Management System (PMS). The workflow should be:

At lease signing: The PMS triggers an API call to Purple. Purple generates a unique iPSK for the unit, stores it against the resident's profile, and emails the passphrase to the resident. No manual IT involvement required.

At move-in: The resident connects their devices using the emailed passphrase. All devices are immediately placed in their isolated VLAN. The experience is identical to setting up a home broadband router.

During tenancy: The resident uses the Purple app to add new devices, check connectivity status, and manage their network. Headless IoT devices (smart plugs, sensors) can be registered by MAC address through the self-service portal.

At move-out: The PMS triggers a revocation API call. Purple immediately invalidates the resident's iPSK. No other resident is affected. The unit's VLAN is cleared and ready for the next resident.

Step 4: RF planning and access point placement

Replacing per-unit routers with a managed network reduces the number of radio transmitters in the building dramatically. In a 200-unit building, removing 200 consumer routers eliminates a significant source of co-channel interference. Deploy enterprise APs in corridors or purpose-built in-unit positions, targeting -65 dBm or better signal strength at the furthest point in each unit.

For buildings with thick concrete walls or complex floor plans, use wall-mount APs deployed inside units rather than corridor-mounted APs. Coordinate with your AP vendor's RF planning tools (Cisco Meraki RF Planner, Aruba AirMatch, Ruckus SmartRF) to model coverage before installation.

Best practices

Broadcast traffic management

High device density amplifies broadcast traffic. mDNS, ARP, and SSDP frames from thousands of devices can consume significant airtime. Enable Multicast-to-Unicast conversion on your APs to convert broadcast frames into targeted unicast transmissions. This reduces airtime waste and improves battery life for mobile devices.

For mDNS specifically, deploy an mDNS gateway or proxy (available natively on Cisco Meraki, Aruba, and Ruckus) to handle service discovery across VLANs where needed, such as for building-wide printing services in common areas.

CGNAT and gaming NAT types

IPv4 address exhaustion in large deployments requires Carrier-Grade NAT (CGNAT). However, strict CGNAT configurations break peer-to-peer gaming traffic, resulting in Strict or Type 3 NAT on PlayStation and Xbox consoles. Configure your gateway to support UPnP (Universal Plug and Play) or PCP (Port Control Protocol) for resident VLANs. This allows consoles to automatically negotiate open port mappings without requiring manual firewall rules.

Security and GDPR compliance

Resident WiFi data sits in a sensitive privacy context. Residents have an ongoing relationship with the operator, and data exposure extends over years rather than minutes. Key compliance considerations include:

Resident isolation as a privacy requirement: Under GDPR, operators have a duty of care to prevent one resident from accessing another's data or devices. iPSK's VLAN isolation is the technical mechanism that satisfies this requirement.

Data retention: Retain resident-identifiable WiFi connection logs only as long as operationally necessary. Six months is a common ceiling for security and compliance purposes.

Data residency: Purple stores data in EU-based infrastructure by default, with options for UK-specific data residency post-Brexit. Purple holds ISO 27001, GDPR, and Cyber Essentials certifications.

Consent: Residents should acknowledge a clear acceptable use policy at onboarding. Purple's self-service portal includes configurable consent flows.

Real-world case studies

Case study 1: 350-unit BTR development

A property developer managing a 350-unit BTR complex in a major UK city faced three problems: 350 individual consumer routers creating severe RF interference, a 72-hour average wait for broadband activation that delayed move-ins, and a support team spending 40% of their time on WiFi-related tickets.

The operator deployed Purple's Multi-Tenant WiFi across the building using existing Cisco Meraki APs. Purple integrated with the property's existing PMS via API. Upon lease signing, residents received their unique iPSK by email. On move-in day, connectivity was instant. The RF environment improved significantly with the removal of 350 consumer routers, and average speeds across the building increased by 35%. Support tickets related to WiFi dropped by 60% in the first three months, attributed to the self-service device management portal and the elimination of smart device pairing issues.

Case study 2: 1,200-bed student accommodation

A purpose-built student accommodation (PBSA) provider needed to onboard 1,200 students in a single weekend at the start of the academic year. The previous shared-PSK system required staff to manually distribute password sheets and handle hundreds of support calls from students unable to connect gaming consoles and smart TVs.

With iPSK deployed via Purple on HPE Aruba access points, each student received their unique passphrase with their welcome pack before arrival. Students registered their headless devices (consoles, smart TVs) via the Purple app during the week before move-in. On arrival weekend, the IT team handled fewer than 20 connectivity support calls across 1,200 students - a 94% reduction compared to the previous year. The mDNS proxy configuration resolved all Chromecast and AirPlay pairing issues that had previously generated the highest volume of tickets.

ROI and business impact

For BTR and MDU operators, the financial case for managed iPSK WiFi is straightforward. The British Property Federation's research and Purple's own data from 80,000+ live venues support the following benchmarks:

The net operating income (NOI) impact compounds across three vectors: the direct rent premium, the reduction in void-period revenue loss, and the reduction in IT support overhead. In a 200-unit building at a £20 per unit per month premium, the annual revenue uplift is £48,000. Eliminating 200 consumer routers at an average replacement cost of £80 each saves £16,000 in hardware alone over a five-year cycle, before accounting for energy savings and maintenance time.

Purple's pricing model is per-unit per-month with no bundled broadband contract, meaning the operator captures the full value of the WiFi amenity rather than sharing it with a third-party ISP.

Further reading

For related network design topics, see Three SSIDs to rule them all: guest, Passpoint, and IoT WiFi and the iPSK: una guía completa para empresas reference guide. For the underlying platform, explore Guest WiFi and WiFi Analytics . Purple serves operators across Hospitality , Retail , Healthcare , and Transport verticals.