PPSK unifi: comparing features and deployment models

Executive summary

For property developers and IT managers running multi-tenant buildings, the central WiFi challenge is this: residents expect a home network experience - devices that discover each other, smart TVs that cast, consoles that connect - but on shared infrastructure that must keep every household isolated from every other. Standard PSK fails on isolation. 802.1X fails on IoT device compatibility. PPSK, or Private Pre-Shared Key, solves both.

PPSK broadcasts a single SSID across the entire building while issuing a unique password to each resident. The network uses that password to assign every connecting device to a dedicated VLAN, creating an isolated micro-network per household. Devices within the same resident's VLAN communicate freely; devices on different VLANs remain invisible to each other.

On Ubiquiti UniFi hardware, PPSK is available natively for small deployments, and via Purple's cloud RADIUS overlay for enterprise scale. This guide covers both models, the protocol constraints you need to know, and the commercial case for deploying managed WiFi as a revenue-generating amenity.

Technical deep-dive: PPSK vs 802.1X vs PSK

Understanding where PPSK fits requires a direct comparison against the two dominant enterprise authentication standards.

Standard PSK

WPA2/WPA3-Personal uses a single password for all clients on an SSID. Every device shares the same broadcast domain. In a multi-tenant building, this means Resident A can see Resident B's devices. You can enable client isolation on the access point to prevent direct device-to-device communication, but doing so breaks local network functionality entirely - smart speakers cannot control smart lights, phones cannot cast to TVs, and game consoles cannot discover local services. Standard PSK is not viable for residential multi-tenant use.

802.1X (WPA-Enterprise)

802.1X authenticates users via a RADIUS server using unique credentials (username and password) or certificates, with EAP-TLS or PEAP as the common authentication methods. It provides strong security and supports dynamic VLAN assignment via RADIUS attributes (specifically, Tunnel-Private-Group-ID). However, 802.1X requires the connecting device to run a supplicant - software that negotiates the authentication handshake. Most consumer IoT devices, smart TVs, and game consoles do not include a supplicant. They accept only a simple password. Mandating 802.1X in a residential environment immediately excludes a significant portion of the devices residents want to connect.

PPSK (Private Pre-Shared Key)

PPSK - also called iPSK (Identity Pre-Shared Key) by Cisco Meraki and Purple, and Personal Private Network by some vendors - bridges the gap. It uses WPA2 encryption, which every device supports, but maps each unique password to a specific VLAN. The access point (or an external RADIUS server) performs this mapping at association time. The result is per-resident isolation without requiring any special client software.

The WPA3 constraint. PPSK is fundamentally incompatible with WPA3. WPA3 uses Simultaneous Authentication of Equals (SAE), which requires the access point to know the pre-shared key before the authentication handshake begins. PPSK determines which key is being used during authentication. These requirements are mutually exclusive. If you deploy PPSK on UniFi, you are on WPA2, and you cannot use 6 GHz bands.

Implementation guide: 2 deployment models

Model 1: Native UniFi PPSK (small-scale deployments)

Ubiquiti added native PPSK support to the UniFi Network application in recent firmware releases. This model suits small coworking spaces, boutique MDU buildings, or pilot deployments.

Step 1: VLAN configuration. In the UniFi controller, navigate to Settings > Networks and create a dedicated VLAN for each tenant. Assign each VLAN a unique ID (e.g., VLAN 101 for Unit 1, VLAN 102 for Unit 2).

Step 2: Network creation. Navigate to Settings > WiFi and add a new wireless network. Set the security protocol to WPA2 Personal.

Step 3: Enable PPSK. In the WiFi settings, enable the Private Pre-Shared Keys option. The controller will prompt you to create individual passwords.

Step 4: Key-to-VLAN mapping. For each password you create, assign it to the corresponding VLAN. The access point will use the password to determine VLAN placement at connection time.

Step 5: mDNS configuration. Ensure your UniFi gateway or USG is configured to allow mDNS reflection within each VLAN while blocking cross-VLAN multicast. This is essential for device discovery (Chromecast, Apple Bonjour, Sonos).

Limitations of native PPSK. Manual key management becomes operationally unviable beyond a few dozen units. There is no automated provisioning or revocation. When a tenant moves out, you must manually delete their key from the controller. There is no integration with property management systems.

Model 2: Cloud RADIUS overlay with Purple (enterprise scale)

For large BTR or student accommodation properties, Purple provides a hardware-agnostic software overlay that integrates with UniFi access points via RADIUS. This model automates the entire credential lifecycle.

Step 1: RADIUS profile configuration. In the UniFi controller, navigate to Settings > Profiles > RADIUS and create a new profile. Enter Purple's cloud RADIUS server addresses and the shared secret provided during Purple onboarding.

Step 2: SSID configuration. Create a wireless network using WPA2 Enterprise. Select the RADIUS profile created in Step 1. Purple's RADIUS server handles authentication and returns the VLAN assignment via the Tunnel-Private-Group-ID attribute.

Step 3: Property management integration. Connect Purple to your property management system (PMS) via API or webhook. When a new tenancy is created in the PMS, Purple automatically generates a unique PPSK and provisions the corresponding VLAN.

Step 4: Resident onboarding. The resident receives their credentials via the Purple app or a welcome email. They use this single password for all their devices - phones, laptops, smart TVs, consoles, and IoT sensors.

Step 5: Automated offboarding. When the tenancy ends, the PMS triggers Purple to revoke the key. Access is terminated instantly. No other resident is affected.

This model runs on Purple's cloud RADIUS infrastructure, which supports 80,000+ venues and maintained 99.999% uptime in 2024 (Purple internal data). It is compatible with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet access points.

For related network design strategies, see Three SSIDs to rule them all: guest, Passpoint, and IoT WiFi and our comprehensive iPSK: una guía completa para empresas .

Best practices for multi-tenant WiFi design

Design for density. Plan for 15-25 devices per household (Purple internal data from 80,000+ venues). A 200-unit BTR property will see 3,000-5,000 concurrent devices. Select UniFi access points - U6-Enterprise or U7-Pro - with sufficient CPU and memory for high client counts. Place APs in corridors rather than inside units to reduce the number of APs required while maintaining coverage.

Manage mDNS carefully. Multicast DNS is essential for device discovery (Apple Bonjour, Google Cast, Sonos). Configure your network to reflect mDNS traffic within each resident's VLAN while strictly blocking it from crossing VLAN boundaries. UniFi's mDNS repeater feature handles this when configured correctly.

Size DHCP scopes correctly. A /24 subnet (254 usable IPs) per resident is sufficient for most households. Ensure your core routing infrastructure - typically a UniFi Dream Machine Pro or UDM-SE - can handle hundreds of simultaneous subnets without performance degradation.

Minimise SSID count. Every additional SSID you broadcast consumes airtime with management frames, reducing available bandwidth for data traffic. PPSK enables you to consolidate to a single resident SSID. Add a separate Guest WiFi SSID for visitors in common areas, and a Staff WiFi SSID for building management. Three SSIDs is the practical maximum for most deployments.

Implement client isolation between VLANs at the routing layer. Do not rely solely on VLAN tagging. Configure explicit ACLs on your core router to prevent inter-VLAN routing between resident networks. Allow routing only to and from the internet gateway.

Troubleshooting and risk mitigation

The Chromecast problem

The most frequent support ticket in multi-tenant environments is device casting failure. A resident's phone cannot discover their Chromecast or Apple TV. This occurs when the casting device and receiver are on different subnets, or when mDNS traffic is dropped at the VLAN boundary.

Diagnosis: Confirm both devices are using the same PPSK. In the UniFi controller, check the client list and verify both devices are assigned to the same VLAN. If they are on different VLANs, the PPSK mapping is incorrect.

Resolution: Correct the PPSK-to-VLAN mapping in the controller or Purple dashboard. Verify that the UniFi mDNS repeater is enabled and scoped to the correct VLANs.

Password rotation chaos

In standard PSK deployments, when a resident moves out, the building-wide password must be changed, forcing every other resident to update all their devices. This is operationally catastrophic at scale.

Resolution: PPSK eliminates this risk entirely. Revoking one resident's key affects only that resident. Purple automates revocation via PMS integration, so no manual intervention is required.

DHCP exhaustion

In high-density buildings, DHCP pools can exhaust if scoped too small. A /24 subnet provides 254 IPs. With 20+ devices per household, this is sufficient for individual units, but ensure your DHCP lease times are set appropriately (four to eight hours for residential use) to reclaim addresses from disconnected devices.

WPA3 migration planning

As WPA3 becomes the default on new devices, PPSK's WPA2 constraint will become increasingly relevant. Plan your migration path now. For properties where WPA3 is a priority, evaluate 802.1X with a cloud RADIUS overlay that handles IoT device onboarding separately via MAC-based authentication or a dedicated IoT SSID.

ROI and business impact

Treating WiFi as a managed amenity delivers measurable commercial returns for BTR operators. Properties offering high-performance, move-in-ready WiFi command a £15-30 rent premium per unit per month, based on British Property Federation sector benchmarks. Move-in-ready WiFi reduces void periods by five to ten days. Deploying Purple's software overlay on owned UniFi hardware reduces per-door costs by 30-50% compared to negotiating individual broadband contracts with traditional ISPs (Purple internal modelling).

For a 200-unit BTR property, the maths are straightforward. A £20 per unit per month premium generates £48,000 in additional annual revenue. Against a software overlay cost that scales per unit, the payback period is typically under 12 months.

For hospitality operators, the benefit is different but equally measurable. Replacing an open network with a PPSK-secured SSID eliminates the guest experience failures caused by captive portals blocking IoT devices, reduces support calls to the front desk, and enables WiFi Analytics that generate first-party data for loyalty and marketing programmes.

For retail and transport operators, PPSK enables secure staff network segmentation on the same infrastructure as guest WiFi, reducing hardware costs and simplifying network management. For healthcare environments, PPSK provides the patient and visitor isolation required under GDPR and NHS network security standards.

Purple has deployed this architecture across 80,000+ venues globally, including Premier Inn, Whitbread, and Manchester Airports Group (MAG). The platform has processed 440 million logins in 2024 and holds ISO 27001, GDPR, CCPA, and Cyber Essentials certifications.

For more on iPSK architecture and deployment, see Nama ff keren iPSK: a comprehensive guide for businesses and Três SSIDs para a todos governar: o design de WiFi para convidados, funcionários e IoT .