Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
1. PPSK Introduction
Private Pre-Shared Key (PPSK) is a unique pre-shared key created for a single user on the same SSID. These keys can be used for smaller networks within the same SSID, each with a different password but sharing the same Wi-Fi network. PPSK supports multi-password access for one SSID, with each user assigned an independent password. If some passwords are given away, only the leaked passwords need to be changed, avoiding the impact on all users and thus more resistant to risks. Meanwhile, the authentication process between the access point and the client requires a four-way handshake, which can enhance the security of the passwords. PPSK is classified into PPSK without RADIUS and PPSK with RADIUS. The PPSK function needs to be configured on the Omada Controller. Before configuration, make sure both the EAP and the Omada Controller support PPSK.
This guide will introduce how to configure PPSK by using the built-in RADIUS Server on the Omada Controller and other external RADIUS servers (e.g. FreeRadius, Rgnet, RoamingIQ, and ElevenOS).
1.1 Scenarios
For household scenarios, configuring a single pre-shared key (PSK) for each SSID can ensure security, while for enterprises, using the same PSK can easily lead to password leakage, causing security risks. PPSK can provide a unique PSK for each terminal or user and thus offer a more secure and expandable solution compared to the traditional PSK one. PPSK is mainly used for two purposes:
- Users can have independent Wi-Fi passwords as needed.
- User data can be transmitted within VLANs, enabling its wider applications in such network scenarios as hotels, offices, schools, and dormitories.
In scenarios with a large number of users (e.g. MDUs), MSP can use external RADIUS servers (e.g. FreeRadius, Rgnet, RoamingIQ, and ElevenOS) to configure more PPSKs for the network.
1.2 PPSK VLAN
PPSK supports Dynamic VLAN, with each PSK bound to a single VLAN, so the client will be assigned to the specific VLAN after using the PSK for authentication. For PPSK without RADIUS, VLAN assignment can be configured in the PPSK profile for SSIDs. For PPSK with RADIUS, VLAN can be assigned in the RADIUS server. Together with other VLAN features on the Omada controller, this enables more flexible and powerful network planning and management.
1.3 PPSK without RADIUS
PPSK without RADIUS is a new encryption method based on WPA-Personal encryption, which will verify the user’s MAC address for authentication and assign the user to a specific VLAN after successful authentication. When configuring PPSK without RADIUS, select the appropriate encryption method under the WPA-mode.
PPSK without RADIUS Configuration Steps:
Step 1: Create New Wireless Network on the Omada Controller and choose PPSK without RADIUS as Security.
Step 2: Click Create New PPSK Profile in the drop-down list of PPSK Profile.
Parameters Explanation:
Parameter |
Explanation |
Parameter Requirement |
Name |
The name of the PPSK profile. A single profile can contain multiple PPSKs. |
The length of the name should be between 1 and 64 characters. |
Name(PPSK1) |
The name of the PPSK entry. |
The length of the name should be between 1 and 64 characters. |
Passphrase |
The key used for network access. |
The length of the passphrase should be between 8 and 63 characters. |
MAC Address |
The MAC address bound to the passphrase. Only the device with the specified MAC address can use the passphrase for Wi-Fi authentication. This configuration is optional. If not configured, any device can use the passphrase to connect to the Wi-Fi. |
The MAC address should be unicast. |
VLAN assignment |
The VLAN bound to the passphrase. The client using this passphrase for authentication will be assigned to the specified VLAN. |
The VLAN ID should be in the range of 1-4094. |
1.4 PPSK with RADIUS
PPSK with RADIUS is based on WPA-Personal encryption and MAC-based authentication. To connect to the SSID configured with PPSK with RADIUS, the user only needs to enter the assigned password to access the network. For PPSK with RADIUS, the passphrases of the SSID can be configured on the Omada Controller. One SSID can be set with multiple passphrases (128 entries at most). While setting the passphrases, MAC addresses and VLANs can also be specified to realize two-factor authentication and VLAN assignment.
PPSK with RADIUS Configuration Steps:
Step 1: Create New Wireless Network on the Omada Controller and choose PPSK with RADIUS as Security.
Step 2: Click Create New RADIUS Profile in the drop-down list of RADIUS Profile.
Parameters Explanation:
Parameter |
Explanation |
Parameter Requirement |
Name |
The name of the RADIUS profile. |
The length of the name should be between 1 and 64 characters. |
VLAN Assignment |
Click the checkbox to allow the RADIUS server to assign a wireless user into a specific VLAN based on the passphrase supplied by the user |
Click the checkbox. |
Authentication Server IP |
The IP address of the RADIUS server. |
Class A/B/C legal IP addresses. |
Authentication port |
The port number of the RADIUS service. |
1-65535 |
Authentication Password |
The password used to connect to the RADIUS server. |
ASCII code (0-127) |
2. Built-in RADIUS Server Configuration on the Omada Controller
On the Omada Controller and the Omada Pro Controller, there is a built-in RADIUS server for Generic Radius with bound MAC authentication, saving users the trouble of building an external RADIUS server. By default, the IP address of the built-in server is the same as that of the Controller and the authentication port is 1812. The IP address of the built-in server and the authentication port are also customizable. The authentication password or secret is customized by the user.
Configuration Steps:
Step 1: Go to Global->Server Setting and enable Built-in RADIUS.
Step 2: Create an SSID configured with PPSK with RADIUS and choose Built-in Radius Profile as the RADIUS Profile.
Step 3: Create a PPSK Profile. Set passphrases used for SSID connection and specify MAC addresses and VLANs.
3. FreeRadius Configuration Steps
3.1 daloradius Web Management Configuration
Step 1: Go to Management > New User.
Step 2: In the Username Authentication section of Account Info, enter the username and password which are the MAC address of the device. The format of MAC address should be the same as the following.
Step 3: Go to Attributes and select Quickly Locate Attribute with Autocomplete Input.
Step 4: Select the Attribute in the drop-down list and click Add Attribute.
Step 5: Add the attribute of Tunnel-Password and enter the value which will be the passphrase for SSID connection.
Step 6: Add the attributes of Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id and enter the values respectively to enable VLAN assignment for PPSK.
3.2 CLI Configuration
users: a file that can be configured to manage and authorize user information.
cd /etc/raddb: a command used to enter the target folder which contains the users file.
vim users: a command used to edit the file as follows.
esc :wq: a command used to save the configuration and exit edit mode.
reboot: a command used to restart the FreeRadius server to put the configuration into effect.
The command of DEFAULT Auth-Type = Accept indicates that devices with any MAC addresses can use the password for authentication.
The authentication port and password of the FreeRadius server can be customized in the file of /etc/raddb/site-available/default. The command will take effect after the server is rebooted. Use the commands of service radiusd stop and radiusd –X to reboot the server.
4. RgNet Server Configuration Steps
4.1 Installing RgNet Server
Go to the official website of RgNet (https://www.rgnets.com) and register for a Free rXg account. Refer to the official guide Getting Started | RG Nets to download the server image file and complete the initial setup. The rXg server used in this guide is installed in VMware virtual machine.
Note: The host for installing the rXg server needs to have high performance, which is recommended to possess 4 processors and at least 2 virtual network adapters with 8 GB or above of RAM.
4.2 rXg Server Configuration
After installing the virtual machine, enter 192.168.5.1 in the web browser address bar to load the web page for initial setup. The system before setup has no license and is in a grayed-out, unusable state. Go to License and an IUI will be created. The IUI is created by the Free rXg system based on the host information and uniquely identifies that specific host, which means that the IUI will change and a new license will be required if the virtual machine image is migrated to another host. Then go to rXg Asset Manager (https://store.rgnets.com/asset_manager) to activate the license. Enter the IUI to obtain the activation code and copy and paste the code to the Free rXg system to complete activation. After activation, the setup is complete and you can start configuring the Free rXg system.
Step 1: Create New WLAN Controller Entry on the rXg Server
Go to Network-Wireless-WLAN Controller on the rXg server, click Create New to enter the corresponding information and click Create.
Step 2: Create New SSID
Go to Network-Wireless-WLANs on the rXg server, click Create New to enter the corresponding information and click Create. In Provisioning, the Controller should be the same as the one created in Step 1. In WLAN Configuration, the SSID should correspond to the one set in the Controller. Choose WPA2 for Encryption and Multiple-PSK for Authentication.
Step 3: Edit IP Group
Go to Identities->IP Groups to edit the automatically created entry of IP Groups. In Members->Address, choose Management LAN (192.168.5.x/24) and save the settings.
Step 4: Create Account Group and Account
Go to Identities -> Accounts, click Create New to add an Account Group, click the checkbox of Disable enhanced PSK Security, and choose the tp-link Omada entry just created for Policy.
Go to Create Account and enter the username and password for login, the First and Last name, and the email. In Sessions, click the checkbox of Automatic provision and the checkbox of unlimited for Max sessions and devices, and enter the pre-shared key for authentication.
Step 5: Create Radius Server Realms
Go to Services->Radius, create a Radius Server Realm, and choose the policy entry just configured.
Step 6: Edit TPLink-EAPOL-Found-PMK Attribute
Go to Services->RADIUS. If there is no TPLink-EAPOL-Found-PMK in the list of RADIUS Server Attributes, refer to the following pictures to add the attribute. Select the attribute in the RADIUS Server Realms.
Step 7: Create Radius Server Options
Go to Services->RADIUS, create a Radius Server Option entry, and choose the policy entry just configured.
4.3 Omada Controller Configuration
Step 1: Create New RADIUS Profile
Enter the IP address of the rXg server (192.168.5.1) for the Authentication Server IP/URL and the Accounting Server IP/URL. The authentication port is 1812 and the accounting port is 1813. Make sure the authentication/accounting/CoA passwords correspond with those set in the Secret column of the RADIUS Server Options on the rXg server.
Step 2: Create New SSID
Create a new SSID and choose PPSK with RADIUS as Security. Select the RADIUS Profile created on the rXg server. Note that the 6 GHz band should not be enabled.
5. RoamingIQ Server Configuration Steps
5.1 Configuring RoamingIQ Cloud Server
Step 1: Log in to the Cloud Server
Go to https://tplink.wifikey.io/ and log in to the cloud server web portal, or use the local test administrator account.
Step 2: Access the Homepage
Click on the administrator icon in the top right corner and select Network Admin Account to enter the configuration homepage of the cloud server.
Step 3 Create Venue
Click Add New Venue.
Enter the Venue information.
Step 4 Create Unit
Click Add New Unit.
Enter the Unit information. Add the Unit in the Venue just created.
Step 5 Create SSID
Click the Venue just created in the homepage for further configurations.
Go to Keypools.
Create a new SSID in the current Venue and click Add Keypool.
Go to Service Plan and choose the service plan needed.
Step 6: Create Resident
Click on the administrator icon in the top right corner and select Venue Admin Account to enter the Venue configuration page.
Select the Venue just created in the top left corner and enter the Venue.
Click Add New Resident to set password for each user.
Fill in the Resident information. The email address should be valid to receive the PPSK information. A new email address will need to create a user account by following the link in the server's reply email during the first-time use.
Step 7: Log in to the User Account
Go to https://tplink.wifikey.io/ and log in to the cloud server. Use the email account abovementioned for login.
After logging in, select the Unit (profile) and SSID (Network) to choose the network you want to connect to. Use the Wi-Fi Password or scan the QR code to connect to the wireless network. You can also view other devices connected to the wireless network and monitor their real-time data usage.
5.2 Omada Controller Configuration
Step 1 Adopt EAP device on the Omada Controller
Step 2 Create New RADIUS Profile
Enter the IP address, the authentication and the accounting ports and passwords of the cloud server. Enable VLAN assignment for wireless network. The cloud server does not support CoA currently.
Step 3: Create New SSID
The SSID should be the same with the one set in the cloud server. Choose PPSK with Radius as Security and select the RADIUS profile just created. Only Generic Radius with unbound MAC is supported currently for authentication type.
The NAS ID should also be specified. It can be found in the Profile of Venue details on the cloud server.
Step 4 Connect to the SSID
Use the Wi-Fi password or scan the QR code to connect to the wireless network.
6. ElevenOS Server Configuration Steps
The configuration of the ElevenOS server requires two websites: Secure.11os.com and app.wifiuseradmin.com. The first website is used to enable services and record resident information. The user need to buy an ElevenOS to obtain an account to use the website. The second website is also known as Site Manager, used to manage sites and network users in the sites. The account of the second website is created by the invitation from the previously purchased account. The two websites are connected by the APIs in the Site Manager.
6.1 Secure.11os.com Configuration
Step 1 Create New Site
Go to SETUP and click Add Org. Fill in the basic information of the site and click Create.
Click Go Live to activate the site. The string of numbers and letters (ORG ID) in the top right corner is the NAS ID required for the Omada Controller configuration.
Step 2: Create Service Area
Go to SETUP in the site, choose Add Org, and create a new Service area.
Step 3 Configure Attributes
Go to Attributes, click Add Attributes and configure the attributes of Juno, ResidentPan, ZoneType, and KeyService, which represent four different services respectively. June refers to enabling Portal Manager, ResidentPan indicates PAN Mapping services, ZoneType represents scenarios, and KeyService means enabling accounting services. For more information on other attributes, refer to Understanding ElevenOS Custom Org Attributes – Eleven (elevensoftware.com).
Step 4: Create Portal
Go to SETUP and choose Portal. Configure the Portal UI for users to provide their information and email to obtain the password generated by the ElevenOS server.
Step 5: Configure PAN Mapping
Go to SETUP and choose PAN Mapping. Create VLANs corresponding to the units. Here, VLAN configuration is mandatory.
Step 6: Configure Connection Profile
Go to SETUP and choose Connection Profile. Select Centralized-ElevenOS for Personal Pass Key. The SSID configured on the Controller should be the same as the Network SSID here. Configure the key pattern in Key Settings. You can choose numeric, noun and adjective patterns or a mixed pattern. The passwords obtained by the users via their emails are similar to the Example Key.
6.2 Site Manager Configuration
Step 1: Click Import Site to import the 11OS site created. Go to the imported site and click New Resident to record the user information, including the email address, unit, VLAN assigned, and the period of validity of the password.
Step 2: The 11OS server will send an email to the user, including information like the SSID name and password, with which the user can connect to the SSID.
6.3 Omada Controller Configuration
Step 1: Create a new SSID and choose EKMS for the authentication type.
Note: EKMS is only supported in Omada Pro Controller and Omada Software Controller (version 5.14.0 and above).
Step 2: Create new RADIUS profile. Enter the corresponding parameters and the EAP will send request to the Eleven OS server for authentication and network connection.
7. FAQ
During the configuration of the servers, there are various reasons that may lead to a failure in the client-server authentication association or in the network connection. Below are some common reasons that may cause wireless clients’ failure to connect to the RADIUS server. You can follow the troubleshooting steps to address the issues encountered:
1. Refer to the troubleshooting steps in Unable to Connect to EAP WiFi.
2. Check the EAP firmware and Omada Controller versions to ensure that your EAP firmware and Omada Controller versions support the PPSK functionality.
3. Check the connectivity of your RADIUS server. Verify that the RADIUS Profile configuration is correct, the RADIUS Server is online, and the connection between the EAP device and the RADIUS Server is reachable.
4. Ensure that the SSID for which you have enabled PPSK on the Omada Controller matches the one configured on the RADIUS server.
If the above steps do not resolve the issue, please contact TP-Link Technical Support for further assistance.