Uu PPSK 2023: comparing features and deployment models

UU PPSK 2023: Comparing Features and Deployment Models. A Purple Technical Briefing. Welcome. Today we are going to cover one of the most important architectural decisions you will make when designing WiFi for a multi-tenant residential property: which pre-shared key model to deploy. Specifically, we are focusing on UU PPSK, which stands for Unique per-User Pre-Shared Key, and why it has become the architecture of choice for Build to Rent operators, student accommodation providers, and multi-dwelling unit landlords across the UK. Let us start with the problem. You are managing a building where dozens or hundreds of separate households share the same physical network infrastructure. Each resident needs a private, home-like WiFi experience. Their Chromecast needs to find their phone. Their smart speaker needs to talk to their bulbs. And critically, none of that should be visible to the resident in the flat next door. The traditional answer was either a shared password, which is a security liability at scale, or a full 802.1X enterprise deployment, which requires a Public Key Infrastructure, certificate management, and a RADIUS server that most property operators simply do not have the IT resource to run. Neither option is right for a 200-unit Build to Rent block. That is where PPSK comes in. PPSK stands for Private Pre-Shared Key. The concept is straightforward: instead of one shared WiFi password for the whole building, each resident gets their own unique passphrase. They connect to the same SSID, the same network name, but their key is theirs alone. If they move out, you revoke their key. It has zero effect on any other resident. Now, there are three distinct models here, and understanding the difference is critical to making the right architectural decision. The first model is a standard shared PSK. One password, everyone on the same network. This is what most buildings still run today. It is simple to deploy, but it is a single point of failure. One resident shares the password on a forum, and you have lost control of your network. You want to remove a contractor's access? You have to change the password for everyone. At scale, this is not manageable. The second model is Group PPSK. Here, you assign a unique key to each group of users, perhaps one key per floor, or one key per tenancy type. It is better than a shared password, but it still has a blast radius problem. If one key in a group is compromised, the entire group is affected. You still cannot isolate individual residents from each other at the network layer. The third model, and the one we are focusing on today, is UU PPSK. Unique per-User Pre-Shared Key. Also called iPSK by Cisco Meraki, DPSK by Ruckus, and MPSK by HPE Aruba. The terminology varies by vendor, but the concept is identical. Every single resident, every single device group, gets its own cryptographically unique key. And that key maps to its own VLAN, its own network segment, completely isolated from every other resident in the building. This is the architecture that delivers what we call the WiFi bubble. Resident A's devices can see each other, they can cast, they can pair, they can share files, exactly as they would on a home network. But Resident A cannot see a single device belonging to Resident B, even though they are both connected to the same access point, on the same SSID, using the same physical cable infrastructure. Let me walk you through the technical authentication flow, because this is where the mechanism becomes clear. When a resident's device connects to the SSID, the wireless LAN controller intercepts the connection attempt. During the WPA2 four-way handshake, the device presents its pre-shared key. The controller looks up that key in the PPSK database. It returns the unique VLAN ID assigned to that resident. The controller validates the key, and the device is authenticated and placed on its dedicated VLAN. Critically, that VLAN assignment also carries the correct bandwidth policy and firewall rules. So the device does not just get authenticated. It gets automatically placed on the correct network segment, from a single SSID. No SSID proliferation. No beacon overhead. One network name, hundreds of isolated private networks underneath it. Now, a word on MAC address randomisation, because this is the pitfall that catches most deployments out. Since iOS 14, Android 10, and Windows 11, devices use randomised MAC addresses by default for privacy reasons. If your authentication platform is doing a MAC lookup and the device presents a randomised address, the lookup fails and the device cannot connect. The solution is to implement a pre-registration workflow where residents register their device before connecting. Purple's platform handles this automatically as part of the resident onboarding flow. Let us talk about deployment models, because UU PPSK can be deployed in three distinct ways, and the right choice depends on your building size, your IT resource, and your budget. The first is controller-local PPSK. Here, the unique keys are stored directly on the wireless controller, with no external RADIUS server required. This works well for smaller deployments, up to around 50 units, and it is the simplest to operate. Ubiquiti UniFi supports this natively. The limitation is scalability. Most controllers cap out at a few hundred local PPSK entries, and you lose the centralised lifecycle management that makes UU PPSK operationally viable at scale. The second model is RADIUS-backed PPSK. Here, the keys are stored in an external RADIUS server, and the controller queries the RADIUS server for every new connection. This scales to thousands of units. Ruckus SmartZone, HPE Aruba ClearPass, and Cisco ISE all support this model. The operational overhead is higher, but the scalability and lifecycle management capabilities are significantly better. The third model, and the one Purple recommends for Build to Rent and multi-dwelling unit operators, is cloud RADIUS-as-a-Service. Here, the RADIUS infrastructure is hosted and managed by Purple, and you connect your access points to it via a cloud overlay. This gives you the scalability of RADIUS-backed PPSK without the operational overhead of running your own RADIUS server. Purple's platform sits on top of your existing hardware, whether that is Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, or Fortinet, and provides the orchestration layer for key provisioning, lifecycle management, and resident onboarding. The key lifecycle is fully automated. A resident moves in, their key is provisioned via the property management system integration. They move out, their key is revoked instantly, with no impact on any other resident. No manual intervention, no security gaps, no password rotation drama. Let me give you two concrete deployment scenarios to bring this to life. The first is a 250-unit Build to Rent development. The developer had specified Cisco Meraki access points throughout the building. They needed each resident to have a private WiFi experience with full IoT support, same-day move-in readiness, and the ability to support 15 to 25 devices per household. The architecture deployed was a single SSID across the building, with UU PPSK via Purple's cloud RADIUS service. Each resident received a unique key at move-in, delivered via the resident app. The key mapped to a dedicated VLAN with a private subnet, giving each household a fully isolated network segment. mDNS reflection was enabled within each VLAN, so Chromecast, Apple TV, and Sonos all worked as expected. The building went live with 250 active resident VLANs on day one, with zero manual RADIUS configuration required by the on-site team. The second scenario is a 400-bed purpose-built student accommodation block. The challenge here is the annual cohort turnover. Every August, 400 students move out and 400 new students move in, often within the same week. With a shared PSK model, that means a building-wide password rotation affecting every returning resident. With UU PPSK, it means revoking 400 keys and provisioning 400 new ones, all automated via the student management system integration. The deployment used Ruckus SmartZone with DPSK, backed by Purple's RADIUS service. Each student received their unique key via email during pre-arrival registration. The operations team reported a 70% reduction in WiFi-related support tickets in the first term, primarily because the Chromecast and smart TV pairing issues that had plagued the previous shared PSK deployment were completely eliminated. Now let me cover three practical rules of thumb before we move to the rapid-fire questions. Rule one: if your building has more than 50 units, use RADIUS-backed UU PPSK, not controller-local PPSK. The scalability ceiling of controller-local PPSK will cause you problems within 12 months of go-live. Rule two: plan for MAC randomisation from day one. Build a pre-registration workflow into your resident onboarding process. Do not assume devices will present their permanent MAC address by default. Rule three: automate the key lifecycle. The operational value of UU PPSK over a shared PSK is entirely dependent on keys being provisioned and revoked automatically. Manual key management at scale is not viable. Integrate with your property management system from the outset. Right, let us do a rapid-fire round on the questions I get asked most often. Does UU PPSK work with WPA3? Yes, with caveats. WPA3-SAE changes the handshake mechanism. Most modern controllers support UU PPSK in WPA2 and WPA3 transition mode for backward compatibility. If you are specifying WiFi 6E access points that mandate WPA3 on the 6 gigahertz band, verify your vendor's specific support before purchasing hardware. How many unique keys can a single SSID support? This depends on your controller platform. With an external RADIUS server, the practical limit is your RADIUS database capacity. Purple's cloud RADIUS service scales to tens of thousands of concurrent keys. Is UU PPSK a replacement for 802.1X? No. For fully managed corporate device fleets, 802.1X remains the right answer. UU PPSK is the right answer for residential networks where you need per-household isolation, IoT support, and operational simplicity at scale. What about GDPR compliance? UU PPSK gives you a complete audit trail. Every connection is tied to a specific resident key, which is tied to a specific tenancy record. With a shared PSK, that accountability is impossible. UU PPSK is the only architecture that allows you to respond accurately to a subject access request or a law enforcement enquiry. To summarise: UU PPSK is the authentication architecture that makes multi-tenant WiFi operationally viable at residential scale. It delivers per-resident network isolation, automates key lifecycle management, and supports the full range of consumer IoT devices without requiring enterprise certificate infrastructure. For any Build to Rent development or multi-dwelling unit property with more than 50 units, it is the architecture you should be specifying today. If you want to explore how Purple's Multi-Tenant WiFi solution can work with your existing hardware, visit purple dot ai or speak to one of our network architects. Thank you for listening.