PPSK Configuration Guide
OC200 , OC300 , Omada Software Controller , Omada Cloud-Based Controller
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
A private Pre-Shared Key (PPSK for short) is a security solution in which individual client devices can be managed without much complexity.
With PPSK, each user is assigned a unique passphrase for authentication. Also, it allows the binding of a passphrase and the device MAC address(es), and thus only the specified device can be authenticated using the passphrase.
In PPSK, you can create the PPSK list and apply them to multiple wireless networks, saving you from repeatedly setting up the same information.
1. Introduction to PPSK.
Omada SDN Controller supports two types of PPSK, PPSK without RADIUS and PPSK with RADIUS.
- PPSK without RADIUS: Just create PPSK profiles on Omada SDN Controller.
- PPSK with RADIUS:
- EAP works as a Network Access Server (NAS). You need to create clients in the RADIUS server to allow the EAPs to submit authentication requests.
- When the client connects to the SSID, EAP uses the MAC address of the client (in the format "xx:xx:xx:xx:xx") as the RADIUS User and User-password, the submitted PPSK as the Tunnel-password and submits the information to the RADIUS server for authentication. Therefore, you need to create users in the RADIUS server in the appropriate format.
2. Configuration Guide for PPSK without RADIUS.
First, create a new PPSK profile by Settings --> Profiles --> PPSK, name the profile, and add PPSKs manually, automatically, or by import. Please refer to the User Guide for more information about the PPSK profile.
The following figure creates a PPSK. The name “TP-Link” is used to identify the PPSK, while the passphrase “tplink123” is used for authentication when clients connect to Wi-Fi
If you enter the MAC address for a PPSK, then only specific clients can use the passphrase for authentication. If you define the VLAN assignment, then the client will connect to the corresponding VLAN after authentication.
After creating the PPSK profile, go to Settings --> Wireless Networks, create a new wireless network, and select PPSK without RADIUS and the PPSK profile.
3. Configuration Guide for PPSK with RADIUS.
Step 1. Set up the RADIUS server.
Here we are running a FreeRADIUS® server on a Linux server. For more information on installation and configuration, please refer to the FreeRADIUS documentation.
First, edit the “clients.conf” file. Here we assume that the EAPs are located in the network 192.168.0.0/24, and the shared secret used for communication between the EAPs and the RADIUS server is “tplink”, then the “clients.conf” file is configured like this:
Next, edit the “users” file. With the configuration shown below, three PPSK profiles are created.
- When the client with MAC address “xx:xx:xx:xx:xx:xx” submits PPSK “xxx_tplink”, it will be authenticated.
- When the client with MAC address “yy:yy:yy:yy:yy:yy” submits PPSK “yyy_tplink”, it will be authenticated and connected to the network of VLAN 10.
- When a client with an unknown MAC address submits the default password “default”, it will be authenticated and connected to the “Guest” network of VLAN 20.
Step 2. Create the RADIUS profile.
Go to Settings --> Authentication --> RADIUS Profile, and create a new profile bound to the RADIUS server. If necessary, note to check “Enable VLAN Assignment for Wireless Network”.
Step 3. Create more interfaces for VLAN assignments (optional)
Go to Settings --- Wired Networks --- LAN, and create two interfaces with VLAN10 and VLAN20.
Step 4. Create a wireless network encrypted with PPSK with RADIUS
Go to Settings – Wireless Networks and create the new wireless network shown below.
Related FAQs
Looking for More
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Zendesk
OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au